Nepal: How to improve IT Security of an organization and protect from hackers

The recent news about Chinese hackers being able to break the Payment system in Nepal and being able to withdraw millions of rupees has revealed the vulnerability of the Information System in Nepalese banks. IT security has been a major focus for every organization around the world with the number of increasing new and emerging risks. Banks have always a high hack value and recent data shows that banks of Asia Pacific have been a major target for hackers around the globe. The reason being IT security technologies and processes needs huge investment and banks in the Asia Pacific haven’t really taken it as a priority.

 IT system hack and data breach not only causes monetary and reputational loss but the organization also loses the trust with its customers and partners. Additionally, the regulatory body can impose a huge fine because of which organization may come in a verge of collapse. One of the instances is Equifax, which experienced a massive data breach in 2017, and US regulatory body imposed $575 million fine. The main accusation to Equifax was “failure to take reasonable steps to secure its network which led to a data breach”.

Mainly IT Threat can be seen as external and internal:

1. External Threat: Threat that happens from outside the organization from hackers, crackers or even state-sponsored attacks 
2. Internal Threat: Threat within an organization from employees intentionally or unintentionally and social engineering

For any organization, to understand IT risk it is important to understand the Risk on the basis of Threat and Vulnerability model. Below is the definition of risk as per threat and vulnerability model:

Risk = Asset + Threat + Vulnerability

 Asset = People, property, and information

 Threat – Anything that can exploit the vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

 Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.

To mitigate the new and emerging risks, any organization should address the vulnerabilities as soon as it is revealed. If the vulnerabilities cannot be addressed, there must be sufficient key and compensating controls to convert the risk from inherently high to residually low. Below are some of the technologies and processes that can be implemented to beef-up the information security posture of any organization: 

1. Patching Cycle: Every system used and implemented should be updated to the latest stable release. Patches, update and upgrade help system to address existing vulnerabilities and fix the bugs. For eg. Microsoft releases Windows updates on second Tuesday of every month, these updates should be pushed out to all systems like Desktop, Servers, ATM Machines, and Kiosk, etc. to address the vulnerabilities. Along with Windows update, any appliances, network devices firmware, and third party software should be regularly patched. 
2. Use of Firewall: Firewall has capabilities to analyze network traffic and allow legitimate traffic and block the unwanted traffic as per the policies. The best practice is to design two layers of Firewall as external and internal. External Firewall blocks all unwanted traffic coming and leaving the organization to the outside world whereas internal Firewall blocks traffic within the different systems/Vlans of the organization as per the policies.
3. Use of Antivirus: Antivirus is the last point of defense which protect endpoints for any malware, viruses, and spyware. Antivirus must be implemented on all endpoint and the virus definition must be updated as it is released to get the latest protection.
4. Zero-day Protection: Zero-day threat has no patches released on the day so they can be harmful to the organization. To mitigate Zero-day Threat, Zero-day protection tools must be implemented for email, network and endpoints. For example, Zero-day protection tool will open the email attachments and links in a sandbox and analyze the effect before it is actually sent to end-user. 
5. Email Security: The main source of Virus, Spyware, malware, ransomware, etc. is email. Hackers can target end-user sending Phishing /spam email and also impersonating email being sent as one of the colleagues or seniors. To protect from this threat, email gateway should be implemented which analyzes the email and block spams and phishing emails. Email gateway can provide Email Security, Automated Redaction and Sanitization, anti-spam and phishing and Virus scanner which helps to mitigate most of the threats that come through email.
6. Vulnerability Management: All the assets of the organization should be periodically scanned against the vulnerabilities using specialized vulnerability management tool, which will list out any serious, high or medium vulnerabilities in the system. Serious and high vulnerabilities should be addressed as soon as possible. Old vulnerabilities have bigger threat vector as the attacker would already devise many ways to exploit it. Examples of vulnerability management tool are Alien Vault Unified Security management, Comodo HackerProof, Tripwire IP360, etc.
7. End of Support Life System: Attackers can easily exploit the system, which has passed the end of support life, as there is no update/patches released by the vendor. So, End of Support life system is always vulnerable to the organization and this system must be replaced with newer releases.
8. Two-factor authentication: Using two-factor authentication protects the system even the first authentication medium (password) is compromised. The attacker will still need another level of authentication which can be a code sent to a mobile device or email or can be a secure ID token. 
9. Data leakage Prevention: Data is the most important asset for any organization. Data must be classified based on the content on the data, which can be restricted, confidential or public. Data leakage prevention technology protects data from leaking out from the organization intentionally or unintentionally DLP technology can protect data from being sent to the printer, copied to a removable device or being uploaded using FTP or https. Example of DLP solution includes Force Point DLP Solution, Symantec DLP Solution, and Check Point DLP Solution, etc.
10. Data Encryption: Confidential and restricted data must be encrypted so that only authorized user with the key is able to view and make changes in the data. Data encryption assures confidentiality and integrity of the sensitive data. Data encryption can be done user-based or group based as per the need and nature of the data.
11. Use of FIM and SIEM: FIM (File Integrity Monitoring) FIM provides another layer of data security by monitoring file s and system providing valuable insight to the technical environment. SIEM (Security Information and Event Management) SEIM provides security teams to triage events and perform investigations. It provides a single point of collection for all potential security threats. Implementation of FIM and SEIM gives the capability of security investigation and monitoring in case of data breach or attacks.
12. Penetration tests: Penetration test is conducting a hack of own system in a controlled environment, Penetration test results give an insight into the vulnerabilities of the Information systems. Penetration testing/scanning must be conducted on a regular basis and vulnerabilities and gaps must be addressed to secure the environment. 
13. DDOS Prevention: Distributed Denial of Service attack comprises of sending multiple requests to a service or network using multiple compromised systems distributed geographically apart. DDOS attack will exhaust the capability of a system to process the request and it will be not able to process legitimate request. Different DDOS prevention tool such as F5 Networks, Aruba networks, Black Lotus, etc. can be implemented to prevent DDOS attacks.
14. Privilege Management: Access to critical System must be classified based on the roles and permission of the user such as read-only, read/write or execute. Access to the database, network devices must be separated and restricted for the based on the policies which will protect the system from unauthorized changes in the system. Access to such a system can be also permitted based on time-based tokens.
15.   HIPS: Host-based Intrusion Prevention System can analyze system calls, application logs, and file-system modifications (binaries, password files, capability databases, and access control lists) with the help of the database. HIPs. Once the malicious activity is detected HIPS can alert the specified user and log the event for investigation.
16.  MDM and VPN: All mobile devices such as mobile phones, tablets, and laptops must be enrolled in mobile device management so that policies can be set to secure the devices. For example, if the mobile device is lost or compromised, the administrator can remotely wipe the device using the management console. 

Remote access to the network and system for mobile must be allowed through secured VPN (Virtual Private Networks) so that there is no need of using vulnerable third-party tools.

1.  Web application Firewall: WAF can protect web application based on the policies set by the administrator. This is an additional layer of Firewall in the application level. For example, an administrator can also set custom policies such as blocking the traffic from high-risk countries. 
2.  URL Filtering: Internet is another source for viruses, malware, and other different risks. Use of URL Filtering can restrict the traffic in and out the organization based on the allowed categories, file types, and custom policy groups. URL filtering can be a part of the firewall implemented in the organization.
3.  Educating employees about different IT Risks: Providing training and educating staffs from different threats is very useful in mitigating the risk, for example, education staff about phishing/spam email and how to identify them can minimize the chances of staff clicking on spam/phishing email links.

In conclusion, there is no system in the world, which is zero vulnerable, and without any risk. But implementing the above technologies and process greatly reduces the risk from different threats. Investing in IT security is better than later ending up paying hefty fines to regulatory bodies and losing the money and reputation from the attacks. 

Sushil Karki

(Sushil has worked for 10 years in IT in the banking sector, currently, he is working for Arab Bank Australia)