At the Session 03 Panel from left Asia Policy Partners LLC, Hong Kong Managing Partner Michael R K Mudd, Microsoft Sri Lanka and Maldives Country Manager Brian Kealy, NDB Bank PLC Chief Operating Officer Rohan Muttiah and Moderator Daily FT Editor Nisthar Cassim 

  • Daily FT-CICRA Cyber Security Summit puts spotlight on vulnerability of banking and finance to cyber attacks and how industry is responding

The number of cyber attacks targeting banks and other financial institutions has grown exponentially over the last two decades, posing great risks to the global financial sphere, Michael Mudd, the Managing Partner of Asia Policy Partners LLC in Hong Kong, said recently.

Delivering the keynote address, Mudd said that the threat landscape Untitled-2had become more sophisticated with the involvement of organised criminals. Outlining problems from a financial security point of view, Mudd shared key insights with the audience on how financial institutions could strengthen their back-ends to combat cyber attacks.

“Criminals could be people who want money, state-sponsored criminals or former employees of an organisation. Many cyber threats are part of the overall cyber threat landscape. When you look at them, some threats could distort a single business activity or could harm the entire business scope. These threats pose a reputation risk for the business as well as damage the relationship with your suppliers, shareholders and other stakeholders.”

He said that commercial crimes were not a myth anymore, with Malware as a Service (MaaS) available right now with 24/7 online support. He went on to speak about cyber threat classification, breaking the entire classification into three categories.

“First you have data theft which involves internal IT or tech staff or other staff members. These threats have to be dealt internally. Also you have data theft alteration, destruction and extortion. These could be state-sponsored, could be carried out by hacktivists or terrorists. Data ransomware has become a major issue. Then you might have threats happen due to phishing and spoofing. Denial of Services (DoS) has been there for a long time now. I heard that Sri Lanka also got into trouble with several Distributed Denial of Service (DDoS) attacks but there is a new threat which is a reflective of DoS and DDoS called DRDoS (Distributed Reflection Denial of Service attack). This is widely used to distort functions in big infrastructure companies by enhancing a DDoSattck,” Mudd said.

Ransomware: A bigger threat

Mudd said that ransomware had become a growing threat with global statistics proving the growth of a very popular cyberattack mode.

“Up to March 2015, only 131,000 ransomware threats were recorded. However, during the period of April 2015 to March 2016, 918,000 ransomware incidents have been reported. They are very complex and some share a 2,048-bit RSA cryptographic key so breaking them looks near impossible. Some organisations charge you 400 to 600 bitcoins to unlock the locked screen or the hard disk partition. If you don’t pay it within 48 hours, they would triple the amount and if you are a big corporate the amount will be ten times the original ask.”

Mudd asserted that prevention and backup were crucial to dealing with ransomware and explained the importance of the BASIC (Be Aware Security is Compromised) approach. Attack identification is also making headway with companies like Intel and Kaspersky working on the technology, he said.

“Lots of these come through social media. The key is prevention of course. We need to look at risk management and governance and we need to build the foundation assuming that you are not 100% secured at any given time. Untitled-1

The bad guys will get through by any means. What do you do about it? Have you put proper strategies and measures in place? It comes down to being able to implement a working program together in order to mitigate risks. CEOs need to understand that this is a risk and execute a plan. They are not technical but in this case, they need to know how to manage these risks and make sure that escalation is in place to move this up.

“The BASIC approach will prove the benefits of taking necessary measures to evade unnecessary threats. Backing up is the most important thing. It is the basis of modern technical know-how. Organisations should look at enabling UAC (User Access Control) and removing admin rights. One other obvious factor for prevention is deploying robust anti-virus software with restrictions. Restrictions will alert the anti-virus company of an attack and they could identify it and fix it themselves. Using licensed software is very important. We have heard many stories where the CEO has supposedly received an email from the CFO asking for a money transfer but later realises that it was a spoof mail.

These things happen if you don’t use licensed software,” Mudd said. In the case of a user not knowing what is really happening, Mudd advised the audience to pull the network plug out at once.


A checklist to track them all

Mudd also spoke about a cyber security checklist which includes security by design, threat detection, protection by responding instantly to incidents, collaboration and engagement with different parties and the cyber security risk framework.

Untitled-3“A risk framework is important because it starts to address many risks involved in a business through information technology, operations and new tech elements like cloud computing. Risk management practices will cover the entire organisation, not just your IT department. It will be important when you work with service suppliers because many banks are doing outsourcing and cloud is the next level of outsourcing. Organisations need to implement security standards that include privacy controls to ensure compliance. It is important to always remember the five core functions of cyber security as well – identify, protect, detect, respond and recover,” said Mudd.

He explained about the Waking Shark exercise of the Bank of England. It was built to test the incident response, resolution and coordination processes of the financial services sector and individual member firms to a street-wide cyber attack.

“This encourages people to do some exercises and identify where the weak points are. The Bank of England has worked with 22 British institutions over the past four years on this. If you look at what they came up with the objective of this exercise was to identify, protect, detect, respond, recover and then learn.  They also share their information with others which helped them to bring out a cyber security governance arrangement so that they could see where they were going,” said Mudd.

He emphasised the importance of resilience, the ability to recover to a 100% operations state without losing data within a given time span, and gave examples of how other countries such as Singapore practised resilience.

He also spoke about how banks that dealt with outsourced entities could deliver services with security, confidentiality, availability and integrity by knowing their supplier, using data with a purpose, proper sub-contracting and implementing a due diligence process

“Ownership of data is always with the financial institution and the outsourcing entity should act upon the bank’s guidance. They have legal responsibilities so review monitoring and controlling is always important. Access rights, resilience, conditions on termination, data classifications, external certifications; financial institutions need to carefully look upon these aspects as well.”


Bangladesh heist

Mudd also spoke about how hackers breached the Bangladesh Central Bank and stole millions of dollars due to unprofessional cyber security practices. In February 2016, instructions to steal $ 951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth $ 101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded with $ 20 million traced to Sri Lanka (since recovered) and $ 81 million to the Philippines. The Federal Reserve Bank of NY blocked the remaining 30 transactions amounting to $ 850 million at the request of Bangladesh Bank.

The $ 20 million transfer to Sri Lanka was intended by hackers to be sent to a private limited company. The hackers misspelled ‘Foundation’ in their request to transfer the funds, spelling the word as ‘Fundation’. This spelling error gained suspicion from Deutsche Bank, which put a halt to the transaction in question after seeking clarification from Bangladesh Bank. Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the institution which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have since been recovered.

“This was not the first attack we have heard of. There is a new level of knowledge and skills out there now and a huge portion of this knowledge has been transferred by inside sources. The only way a hacker could know about how SWIFT works is by working with the system. Technology’s sight is shortening now so that it is necessary to combat cybercrime,” added Mudd.


Building a close relationship

Answering a question posed during the panel discussion, Mudd said that Central Banks across the region should develop a broader dialogue with the technology industry.

“A close relationship between the regulator and technology vendors together can strengthen the financial sector. Over the years, there have been a number of silos regarding fostering a robust connection to mitigate cyber threats. Financial institutions usually don’t reveal information to other parties when they encounter a nefarious incident like a cyber attack. However, it is quite interesting to see that Sri Lanka’s Central Bank formed the FINCSIRT with the help of several key institutions. That is what should happen.”

Speaking at the panel discussion, NDB Bank Plc Chief Operating Officer Rohan Muttiah spoke about the challenge of maintaining safety as well as providing convenience to customers in the financial sector.

“There is no doubt at all that public transfers and depositories are the top-most priorities of a bank. Banks cannot put that principle at risk anytime in whatever they do. Having said that, what do we expect as customers of a bank? We want to do our bank transactions at our convenience so therein lies a challenge for banks. It is not an insurmountable challenge. Of course, there are risks associated but then you cannot afford to open them up. Online banking has been around for a long time and people are perhaps more familiar with the types of threats that are posed. These attacks have been partially solved by using the two-factor authentication.  Then you have mobile banking which gives you anytime, anywhere banking. The types of authentications that have been introduced with mobile banking are perfectly aligned with CBSL’s guidelines. However, technology provides us more ways to make it more secure. For example, biometrics. Biometrics could be used in your mobile phone to authenticate yourself. It is quite possible for banks to continue to protect customer data with the help of technology.”

Speaking further, Muttiah said: “Bad guys are always ahead by several steps. That is the reality but having said that it does not mean that bad guys need to win. To protect something, you need to detect it first. You may not be able to provide 100% protection but you are able to detect most cases. Threats are progressing at a very rapid rate but with the demand increasing for more convenience, measures and methods of protection are also keeping up. You need to have proper awareness of what you are doing.”

Microsoft Sri Lanka and Maldives Country Manager Brian Kealy was also at the panel discussion and spoke about how Microsoft ensures safety for its users who perform online transactions using their devices.

“People want new technologies that they would trust. If a bank provides a trustworthy platform for users to do their transactions they will happily keep using it for a long time as well as the bank’s other services and applications. Organisations have a responsibility to make sure that they can articulate how they are protecting the personal data of users.

“Microsoft trusts in four areas which we believe is the foundation of creating secure transactions. If you look at few years ago, many organisations focused on a harder outside and a softer inside. When someone broke that strong outside, you realise that you don’t have a strong inside anymore which of course is a breach of trust. Firstly, we need to make sure that the person who is doing the transactions is on a mechanism where his data will be secure. Secondly, protecting the data of the application. Whether the data is stored in the system or the device it is super important to know whether the data has been encrypted. That will make sure that hackers or even insiders cannot touch it at all. Thirdly, protecting your infrastructure and finally making sure that the devices and applications we hand out to consumers are safe and protected. This is how we look to simplify the environment for security professionals and for all our users,” said Kealy.

The EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.  Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.

Key initiative in partnership with Australia’s top-ranked Deakin University Six million cyber security job openings by 2019 CICRA Campus, the pioneering cyber security training provider, in partnership with Australia’s top-ranked Deakin University, is introducing the first Bachelor of Cyber Security degree in Sri Lanka. “Parents should consider a cyber security degree for their ambitious child as an alternative […]

Targeting 5,000 individuals, CodeCraft, an online competition to find Sri Lanka’s most secure coder was launched in Colombo recently. The competition will be held under two categories which are for the corporate sector and the university students engaged in software development. It is held aimed at supporting Sri Lankan government’s mission to earn US $ […]

CICRA Consultancies Ltd., Sri Lanka’s pioneering information security training and consultancy provider, participated in the 2016 United States Pacific Command’s Pacific Endeavour conference for the fourth consecutive year from 22 August to 2 September in Brisbane, Australia. Nearly 250 military communication experts, non-government organisations and academic advisers from over 20 allied and partner nations were […]

Central Bank Governor Dr. Indrajit Coomaraswamy, while speaking at the Cyber Security Summit 2016, said that taking measures to eradicate looming cybercrime should be considered a national responsibility. “The cybercrime industry, which seeks these ICT-based services for vicious purposes, has already overtaken the illicit drug trade and is appearing as a prominent revenue generator. Many […]

At the Session 03 Panel from left Asia Policy Partners LLC, Hong Kong Managing Partner Michael R K Mudd, Microsoft Sri Lanka and Maldives Country Manager Brian Kealy, NDB Bank PLC Chief Operating Officer Rohan Muttiah and Moderator Daily FT Editor Nisthar Cassim  Daily FT-CICRA Cyber Security Summit puts spotlight on vulnerability of banking and […]

Answering to a question from Daily FT about the progress of the Data Protection Act, ICTA’s Legal Adviser Jayantha Fernando said that the implementation of the much-talked act looks very positive with the enactment of the Right to Information Act in the Parliament. “The discussion has been going on for many years. It also weighs […]

Human resource or human capital is the greatest asset of an organisation but over the last few years, lack of skilled employees as well as complex information systems have made that greatest asset one of the greatest risks for an organisation, Prof. Mathew Warren, Deputy Director at Deakin University Centre for Cyber Security Research of […]

Daily FT-CICRA Holdings fourth annual Cyber Security Summit’s inaugural session sets the stage for sharing of new knowledge and insights The EC-Council Cyber Security Summit 2016 organised for the fourth consecutive time kick-started on Tuesday with high-profile international IT security experts from Sri Lanka and the region. The EC-Council Cyber Security Summit 2016 is co-organised […]

Chief guest Telecommunications and Digital Infrastructure Minister Harin Fernando addresses the Summit Telecommunications and Digital Infrastructure Minister Harin Fernando checks his mobile as he is led to the ceremonial opening of the Daily FT-CICRA Cyber Security Summit. CICRA Holdings CEO Boshan Dayaratne, Daily FT Editor Nisthar Cassim, Summit’s strategic partner Cisco Lead for Sri Lanka […]

Telecommunication and Digital Infrastructure Minister Harin Fernando addressing the Cyber Security Summit 2016 Forging ahead in building digital infrastructure, the Government has closed the largest-ever information system tender for a National Digital Identity system budgeted at $ 100 million to provide every citizen with a cryptographic private key, a top official said yesterday. Telecommunication and […]

Several global and local experts will share key insights on the latest threats and challenges to the cyber security of companies, institutions and individuals next week at the fourth annual summit organised jointly by the Daily FT and CICRA Consultancies. Dedicated this year to focusing on the internal and external threats and challenges confronting organisations, […]

Sri Lanka Insurance Deputy General Manager – Marketing Niroshini Pethiyagoda hands over the partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne as SLIC AGM – Marketing and Corporate Communications Namalee Silva looks on Sri Lanka Insurance Corporation (SLIC) yesterday announced its partnership with EC-Council Cyber Security Summit 2016 as […]

Lanka Clear Ltd., the operator of LankaPay – The National Payment Network, yesterday announced its partnership with the EC-Council Cyber Security Summit 2016 as the Payments Security Partner. Organised for the fourth consecutive year, this year’s summit is scheduled to be held on 9 August in Colombo and will comprise a Cyber Security Summit for […]

Microsoft Head of Corporate, External and Legal Affairs, South East Asia New Markets Shalini Ratwatte hands over the Strategic Partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne Microsoft Corporation, the worldwide leader in software, services and solutions, helping people and businesses realise their full potential has joined the ‘Cyber […]

Cisco Lead for Sri Lanka and Maldives Gerald Vethanayagam (right) hands over the sponsorship letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne For the fourth consecutive year, Cisco, the worldwide leader in Information Technology is sponsoring the ‘Cyber Security Summit 2016’. The summit on 9 August in Colombo, held for […]

By Kiyoshi J. Berman The sixth Ethical Hackers Forum of Sri Lanka took place recently in Colombo addressing a very topical issue of ‘Enterprise Mobile Security Challenges and Strategies’. The key resource person for the evening was Sinnathamby Shanmugarajah (Shan), Former Director, Mobile Architecture, WSO2 Sri Lanka Ltd. Mobile computing devices are changing the game […]

Applications are called for the second batch of Executive MSc in Information Security program offered by CICRA Campus of CICRA Consultancies Ltd. and awarded by Asia e University, Malaysia and the lectures are scheduled to be commenced 4 June. Executive MSc in Information Security was launched in 2015 with the view of producing skilled and […]

Supports CICRA-Daily FT ground breaking initiative of first-ever nationwide search for best secure software engineer MillenniumIT, leading financial software and technology solutions provider and member of London Stock Exchange Group (LSEG) has joined the ‘Code Uncode Sri Lanka’ competition as the strategic partner to support the first ever nationwide hunt for the best secure software engineer. […]

The fifth Ethical Hacker’s Forum organised by CICRA Holdings was held recently in Colombo focussing on ‘A Lawful Cyber Sphere – Review of Legal Frameworks in Information Security’. ICTA Sri Lanka Program Director/Legal Advisor Jayntha Ferndo delivered the keynote speech with a quick snapshot of the legal landscape concerning computer related crimes in Sri Lanka. […]

Ethical Hackers Forum of Sri Lanka will discuss the latest impact on cyber laws on the information security industry during their fifth session on Friday, December 11 at 6 pm. Titled ‘A lawful cyber sphere: Review of legal frameworks in information security’, the forum will be held at CICRA Auditorium, Eighth Floor, Unity Plaza Building, Colombo […]