1 / 26

Cybercrime

Cybercrime. Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank. Agenda. What is Cybercrime and Cybersecurity? Trends Impact on African banks What is needed? Questions for the board room. Cybercrime and Cybersecurity.

ginger
Télécharger la présentation

Cybercrime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank

  2. Agenda • What is Cybercrime and Cybersecurity? • Trends • Impact on African banks • What is needed? • Questions for the board room

  3. Cybercrime and Cybersecurity • Cybercrime unlawful acts wherein the computer is either a tool or target or both • Cybersecurity combines people, processes, and technology to continually monitor vulnerabilities and respond proactively to secure an organization’s assets.

  4. Cybercrime and Cybersecurity • Damage with respect to: • Confidentiality • Integrity • Availability • Losses/what is at stake: • Financial • Regulatory • Reputational

  5. Trends • Everybody is a target • Easy to get into • Lot’s of money to be made • Small chance of being caught • Ever increasing and expanding • Moving from desktop computers into smart phone arena • Cyber crime is here to stay!

  6. Attacks are increasingly easy to conduct Email propagation of malicious code DDoS attacks “Stealth”/advanced scanning techniques Increase in worms Sophisticated command and control Widespread attacks using NNTP to distribute attack Skill level needed by attackers 2011 Widespread attacks on DNS infrastructure Attack sophistication Executable code attacks (against browsers) Anti-forensic techniques Automated widespread attacks Home users targeted GUI intruder tools Distributed attack tools Hijacking sessions Increase in wide-scale Trojan horse distribution Internet social engineering attacks Widespread denial-of-service attacks Windows-based remote controllable Trojans (Back Orifice) 1990 Techniques to analyze code for vulnerabilities without source code Automated probes/scans Packet spoofing 6

  7. Spy Eye screenshots

  8. Spy Eye screenshots

  9. Spy Eye screenshots

  10. Impact on African banks • Dependency on IT is a fact • Cyber crime is in infancy stage • https://spyeyetracker.abuse.ch/ • https://zeustracker.abuse.ch/ • Internet banking almost non-existant • Skimming attempts and gas attacks are moderate • Fraud with mobile banking based on social engineering • Mobile banking the way forward for hackers • Penetration of smart phones will be turning point

  11. Impact on African banks • Connection to international payment networks will massively increase risk • Banks launch new products rapidly • Need to get ready now

  12. What is needed? • Improvement needed in: • people • process • technology

  13. What is needed? • People • Get people in with the right skill set • Employ a Chief Security Officer • Educate your employees • Educate your customers

  14. What is needed? • Processes • Implement security policies • Perform risk analysis with respect to IT • Manage residual risk • Move from active to pro-active

  15. What is needed? • Technology • Invest in securing network and internet connectivity • Buy software to help automate checking compliance with security base lines • Hire outside contracters to monitor for threats and attacks aimed at your bank

  16. Questions for the board room • What are the top-5 IT risks? • How are they being managed? • How serious is the threat of cyber crime? • How is management dealing with that? • Who is responsible for managing IT risk? • How is reported on these risks? • What action plans are drafted/followed? • How is progress monitored?

  17. Questions for the board room • What were the latest security incidents? • How is management dealing with these? • Is card skimming a problem? Will it be? • Are gas attacks on ATM’s a problem? • Does the bank have a CERT team? • Is the SMS services provider at the right security level?

  18. Actions/shopping list • Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise. • Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO and CSO should report independently to senior management. • Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, CIO, CSO, CRO, and business line executives. • Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.

  19. Actions/shopping list • Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans. • Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident. • Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee. • Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed. • Require regular reports from senior management on privacy and security risks.

  20. Actions/shopping list • Require annual board review of budgets for privacy and security risk management. • Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans. • Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

  21. Questions? a.w.j.heintjes@rn.rabobank.nl

More Related