Manning the defences

Being on top of the risks posed to your business is mission-critical, none more so for the banking giants, says Hariharan Iyer, Head of the Information Security at Dubai Bank.

“Until all the banks in the region unite together to discuss their issues and work for a common goal on security, issues will always exist”
-Hariharan Iyer, Dubai Bank

Close to Dubai’s World Trade Centre, just off of the city’s gleaming financial hub on Sheikh Zayed Road, you will find the home of Dubai Bank. It is here that Hariharan Iyer, is busy managing all of the information security risks and threats thrown at this Shariah-compliant lender. For any bank, whether it is headquartered in Dubai, Denmark or Djibouti the burgeoning arena of information security is has crept into every aspect of its operations. There are swathes of information swishing about in banking systems that needs to be protected from both outsiders, and corrupt insiders too. “Staying ahead of the bad guys is always a challenge,” Iyer reveals philosophically whilst leaning back in his leather chair, “but as an information security professional, the objective is keeping the distance between us and them to a minimum.”

For him, the need for a holistic view of the bank’s business is critical, not just a desirable. “The key to good security is to have good knowledge of business processes.” This can lead to sound decision-making. “With our technical teams and business process understanding, we can make critical decisions look very simple and easy to manage.” Iyer draws upon his wealth of information security experience to keep the defences tight but he highlights a list of obstacles that his department has to deal with. “Some of the challenges we have face include awareness coverage, control enforcement alignment to the dynamics of business process and technology, physical security gaps, and source data protection in the domain of unstructured data.”

He goes on to say that the strategy normally adopted is to mitigate threats at Dubai Bank is control layering. “Every system architecture and business process is exposed with control layers for protection. The risk assessment methodology reviews this control layer and states the weakness based on the layer, so that the team can focus in improving a respective layer’s controls.”

Founded in 2002, Dubai Bank was the first institution in the Middle East to incorporate information security into the risk management group. Iyer, who has worked for the bank for three years, is there to review risks, security assessments, business continuity, physical security concerns, and more. Indeed, his 16-year working career has been to establish business-agile technology and security solutions. Iyer says that he and his team at Dubai Bank adapt to the business of risk and manage it for the “interests of the business”.

Risks
During BM’s meeting with Iyer he identifies four common security risks for the banks today. These include unencrypted data being stored or shipped, warehoused data or information being available for unauthorised users, unmanaged file servers and having an unauthorised function or module in the system available without any controls due to access profiles. As you would expect, protecting bank and customer data is one of his top priorities. “Data is an important business for any bank in the world; they use it form initiation to monitoring and reporting, as well for many critical decisions. Data exists in many forms within a bank.”

But it’s not just outside threats; risks can stem from your own employees. With storage devices like memory sticks and diminutive hard drives being able to hold evermore information, preventing staff from removing critical data from your site is a serious concern. It creates a headache for CISOs the world over but can be controlled by internal policies, suggest Iyer. As similar concern is staff working remotely and data is lost or stolen. “Yes, this is a concern,” Iyer confirms, “but the boundaries have widened and the controls or protection strategies cannot be laid with just the consideration of external and internal perimeter definitions. The basic ingredient is in the definition of controls, by reviewing the source of the threats.” He says data, processing and usage visibility is a threat source. “The associated controls of these threat sources are considered for risk reviews and the information gathered on visibility is the key to deterrents. An example is a customer making an online transaction and using a branch to execute a transfer concurrently. He continues: “In order to have successful control measures in place, the information security team needs to have know-how of business processes and usage of technology solutions.”

Hooks
A real headache in recent years has been the explosion in phishing, as criminals look to prey of the gullibility of customers with their phony emails purporting to be from their bank. They click on a link to a fake site impersonating their bank, update some personal details and their accounts are subsequently raided. In the last issue of BM we heard from National Bank of Kuwait CISO Tamer Gamali dealt with a recent phishing scam aimed at the lender’s customers. It’s a growing concern for banks in the region as the fraudsters increasingly dangle their bait for new victims in different parts of the world. “Yes, phishing is a concern.” Iyer muses. “We mark this threat source as ‘behaviours’ but we have a lot to do in this area, especially when it comes to customer literacy and the culture of gathering information from them.” He adds: “All the banks should work together in combating this risk. The behaviour of each bank to gather and provide information is targeted as threat. The desire is to have a government body that is influential in combating such threats can be helpful. We as banks can be a part of this to create customer protection that, in turn, provides safeguards for banks. Until then, this region will be attractive for such threats.”

One expert on the subject is David Jevans, Chairman of the Anti-Phishing Working Group (APWG). He says the next 12 months the gangs are going to become more determined and devious than ever: “We expect that the current global financial crisis will continue to give phishers new ways to create believable social engineering attacks to steal account credentials and to spread crimeware.” He goes on to say: “In the fourth quarter of 2008 there were numerous attacks against customers of major financial institutions that were being acquired or were in the news receiving government aide. In 2009 we can expect an increase in money mule recruitment scams, where criminals recruit unemployed consumers to act as online funds transfer agents, or to reship goods that were purchased using stolen credit card numbers.” In the meantime, Iyer says collaboration between the financial institutions in the Gulf is needed to tackle all security threats, not just phishing. “Until all the banks in the region unite together to discuss their issues and work for a common goal on security, issues will always exist.”