The job of a CSO is to try hard not to be an easy target for attackers. K S Naraynan, Head Information Risk Management, ING Vysya Bank, shares his approach in this area.
While there are certain things that are in the hands of enterprise information security practitioners, when it comes to securing their organizations, there are others he can’t do anything about. However, it is his endeavor to ensure his organization doesn’t become the low-hanging fruit for attackers.
“The idea is not to prevent everything. I can’t say that no customer will lose his password. That is simply not in my control. However, I certainly don’t want to be the low hanging fruit in the market. My bank should not be targeted by hackers thinking that he can easily succeed,” K S Naraynan, Head Information Risk Management, ING Vysya Bank said while delivering his presentation on ‘Protecting Banking Infrastructure from Cyber Attacks.’
Naraynan has approached this issue by first defining cyber crime in the right context and then mitigating it.
“We need to define cyber crime properly. I find it is not yet defined properly. Anything and everything, including anti virus, has been called cyber crime. If you define cyber crime only in terms of security then you are wrong. Cyber crime cannot be defined only related to technology because technology can’t give a holistic solution,” he said.
According to him, cyber crime can be perpetrated out of national interests, money and ideology. The best way to understand cyber crime, therefore, is to understand the motivation and modus operandi against your organization, he said.
“There are some things done just for fun by a hacker to show his technical capabilities or to throw the technology apart and show its limitations. It doesn’t harm you in any way. We are today able to handle such threats today,” he said.
“There a lot of DDoS attacks. Iran wanted to prove a point against the US banks and did several attacks on them. Is this attack relevant to the bank? Yes, because in some scenario the entire banking industry could be a target and not only ING Vysya Bank. In my definition of cyber crime, DDoS is a cyber crime and a threat to my organization,” Naraynan said.
“Then there are other motivations – cyber war. But is it relevant for us? Individual organisations can’t tackle them. If a CSO is handling a critical infrastructure, he needs to collaborate with the government to mitigate such threats. The mitigation is different for cyber war. The final and the big motivation is money. This is the biggest threat for the banking industry,” he said.
This is how Naraynan profiles cyber crime. He categorises the motivation and what is relevant for him and then analyses how to mitigate it.
“While I can’t reveal what we are doing, but I can share from a general principle standpoint. To start off, you need to have a reference architecture and se what is the best and relevant architecture that will work for that threat. If you have a single architecture to mitigate all risks, it won’t work. You need to have defense-in-depth concept. In today’s APT scenario, you can’t have the ISO 27000 model applied in cyber crime mitigation,” said Naraynan.
“The second concept is that we are tuned with the whole ecosystem – standard, policies, quality controls, auditors – everybody is tuned to talk about whether you have preventive, reactive or detective controls. The response and security intelligence is key. Today we are very clear. We take a business process, divide it into parts and address each part at its core. The primary objective is to prevent a cash-out,” he added.