US, WASHINGTON (ORDO NEWS) — Financial institutions are frequent targets for cyber fraudsters seeking profit, as well as for pro-government hacker groups specializing in sabotage and espionage. Damage from successfully conducted cyber attacks threatens significant financial and reputational losses. Today, companies are faced with new challenges associated with the transition to a cloud IT infrastructure and ensuring the cybersecurity of employees working from home due to quarantine. Ekaterina Kukhareva, head of the information security department at QIWI said.
– What cyber threats for companies are relevant this year?
– This year, phishing remains popular among hackers: at minimal cost to cyber fraudsters it is extremely effective. Even the theme of the coronavirus pandemic is actively used. At the end of March, a phishing newsletter was revealed on behalf of the World Health Organization about ways to cure coronavirus. Other topics are also popular – cancellation or rescheduling of events, information on refunds for the purchase of airline tickets and hotel reservations. Attackers are very inventive.
For example, phishing attacks are used by well-known hacker groups such as the Cobalt Group and Silence. After the implementation of phishing mailing and, as a result, infection of the system, the hacker tries to gain a foothold, raise privileges, and also get as much information about the infrastructure as possible.
Its main goal is to compromise one or another financial system, for example, a workstation of a Bank of Russia client (AWS KBR) or the international interbank system of financial communication channels (SWIFT), which are the most common in banks.
According to the well-known scenario, there are APT groups, the attacks of which we have already encountered, but we will not recognize the algorithm of actions of the new group until the first incident.
– On the network you can find all kinds of hacker tools – sometimes those who create them even offer to configure the virus for a specific “client”. Can we say that viruses have become more accessible for attackers without special skills? How serious is the threat from these new hackers to financial service providers?
– The main tools of hacker attacks over the past five years, if they have evolved, are insignificant. Therefore, the scale of the threat to business is determined not by the degree of complexity of the attack, but by the level of security of the company. The basic principle is this: the attack will be successful if the amount of investment in it is less than the benefit from its implementation.
Therefore, if a company does not focus on information security, a novice hacker can also successfully attack it. If business protection is at an acceptable level, more complex attacks, but with standard tools, will be dangerous. It is with standard ones – which you can buy or download ready-made, but not create on your own. And when a company invests enough resources in security, most attacks from new hackers can not be afraid of it.
– What level of literacy in the field of cybersecurity should employees of companies and information security specialists have? Does QIWI provide staff training?
– To protect certain IT products, you need to understand how they are created and work. That is why our main approach at QIWI is to grow internal staff from other IT departments. Two-thirds of our information security department were originally programmers, system administrators, or technical support specialists.
This is the approach typical of any large corporation. In our country, this looks like an internal institution of training and career advancement, where you can become a leading IB specialist from a junior shift shift engineer. This way takes an average of three years.
We also practice the exchange of experience between information security experts in our group of companies, constantly exchange expertise and are united by the common policy that QIWI payment service forms.
– What are they made up of and how to reduce financial risks associated with cyber security breaches?
– Financial risks in the field of information security consist of direct, indirect and reputational losses, fines and potential loss of a license.
Despite the fact that they usually fear direct losses, in reality they pose the least threat – in contrast to indirect and reputational risks. The latter are truly scary – a loss of confidence in the business and an outflow of customers.
Risks are reduced by integrated work in different directions according to a single principle: extrapolating conclusions on incidents in the industry to the current situation and assessing the material weight of risks. And on the basis of this, a plan of investments in further protection against similar cyber attacks is already being built.
The main difficulty in assessing the risks of information security is the inability to combine their different categories into a single risk potential, so you have to predict the level of each type of risk separately and build a multi-factor flexible strategy for further strengthening business security.
– How is the necessary level of security for employees working remotely ensured?
– For most large IT and financial companies, the remote mode of operation was neither a novelty nor a serious security threat – this also happened in our case. We were ready for the transition to remote work, because we professed the principles of mobile workstations, practiced this format of work before, and paid great attention to the security of client devices.
Our main principle of organizing remote work was to ensure the level of security of home office, identical to office. To do this, we adhere to the Zero Trust model: trust, but verify. After checking the user authentication data, including two-factor authentication, the user device is verified. We receive information about the device, check it for compliance with policies and, if everything is in order, provide access to the QIWI internal network.
– What are the benefits of the MDATP you use?
– Microsoft Defender helped us integrate several endpoint solutions. He replaced us with an antivirus and an EDR (Endpoint Detection and Response) class solution. Defender solves a whole range of tasks: protects workstations and servers from threats daily, detects and prevents attacks. In some cases, it allows mitigating 0-day vulnerabilities (vulnerabilities for which there are no fixes), for example, it recently helped us close the RCE vulnerability in the SMB protocol on workstations.
And since this is Microsoft technology, we can easily configure integration with other Microsoft solutions that we use in our work, and also not be afraid of compatibility problems between the agent and the operating system.
– What threatens a wrong response in a crisis?
– The main danger of an incorrect response is the loss of time. The longer the search and implementation of the right steps, the more likely the attacker to develop or complete the attack, and the business – to receive material and reputation damage.
Therefore, accurate and operational actions in detecting an attack allow, firstly, to isolate the hacker from business systems as quickly as possible and prevent him from completing the attack, and secondly, to obtain the maximum number of evidence that will allow to investigate the incident.
– How to assess the areas in which it is necessary to strengthen the protection of financial institutions?
– Information security is a combination of areas of business protection, which includes ensuring the security of products, infrastructure and compliance. It is worthwhile to approach the assessment of cyber defense areas comprehensively and involve a third party in the assessment. For evaluation, you can use, for example, the methodology from the international standard ISO / IEC 27001.
The peculiarity of information security is that if the protection of at least one of the areas is low, the risks grow immediately in all directions. Therefore, the key to protecting a business is working on it in all areas.
The best strategy if it is impossible to simultaneously provide maximum protection in all directions will be to develop the security of each of the areas to an acceptable level. We learned this lesson at QIWI about 5 years ago, when we concentrated on one direction, and we don’t make such a mistake anymore: now our priority is to develop the level of protection comprehensively.
– What is the average lifespan of the IB systems installed in companies: when do they need to be changed? Is updating control in QIWI a laborious process?
– There is no clearly defined life expectancy of security systems as such. For example, if the classical system of a large vendor is regularly updated, finalized and developed. Therefore, if you correctly selected the product, you may not have to change it for a very long time.
But at the same time, there is the concept of obsolescence of systems: sometimes the vendor prefers to produce analogues of old products, rather than modify them. Therefore, the average life of an information security system can be estimated at 3-5 years. But there are exceptions – both towards a longer and shorter product life.
Yes, monitoring system updates in QIWI is a time-consuming process. The thing is the extremely high speed of updates and a large fleet of systems, that is, if you keep the process of updating all systems continuous, the business will have to do just that.
So that the update does not affect the functionality of the payment system, you need to test it. At the same time, checking for updates and installing them is an ongoing process, therefore, its automation is necessary. It is always a matter of balance between reducing security risks and keeping the system in target condition.
Therefore, we at QIWI admit the existence of a number of vulnerabilities on our systems, but only if we know about them. This is the essence of the principle of updates: an initial assessment of the entire complex of systems and the status of each of them is necessary. And with a correct assessment of the criticality of vulnerabilities, the presence of temporarily non-updated software is sometimes acceptable. That is, for example, in general, vulnerability can be critical, but for you it can be insignificant. Then priorities will be built on business objectives.
– What tasks should the corporate center for monitoring and responding to information security incidents have to solve?
– Security Operations Center consists of processes, teams, and technologies aimed at detecting and preventing an attack as quickly as possible. The main task of the team is to build incident response processes, based on the needs of the business, while providing proactive and reactive protection. At the same time, the key to the effectiveness of the monitoring center will be the team and processes – without them, any technologies and security tools will be ineffective.
– What are companies focusing on when setting their budget for cybersecurity?
First of all, on the continuity of information security processes existing in the business. Another key factor in budgeting for information security is ensuring such a level of business security that would meet the development of its technologies.
New technologies launched by the company may require specialized protective equipment not provided in standard tools. The acquisition, testing, and adaptation of such systems often require additional resources.
– What technologies in the field of information security solutions for companies can be identified in the trends of this year?
– One of the main trends is products such as Security Orchestration, Automation and Response (SOAR), which allow you to automate processes and reduce human participation in the repetitive tasks of responding to information security incidents.
At the same time, in addition to popular information security technologies, one should not forget about new technologies in IT and their protection. An example of such a technology is big data. Products and solutions based on big data are now developing most businesses, and they involve massive access to sensitive user information that needs to be protected.
– What information security standards should companies operating in the financial sector in Russia comply with? What laws govern the responsibility of companies to regulators?
– If the company processes the data of payment cards, compliance with the PCI DSS standard is necessary. Also, a number of companies have adopted a set of standards of the Bank of Russia STO BR IBBS, ISO / IEC 27001, ISO / IEC 27005 and several others.
Significant penalties can be applied by payment systems to service providers and trade and service companies that have not passed the assessment and certification for compliance with the PCI DSS standard.
Federal Law No. 152 (“On Personal Data”) gives the authorized body for the protection of the rights of personal data subjects the right to hold companies liable for violation of the requirements for protecting user data. And the criminal code protects against illegal – without the consent of clients – dissemination of information about their private life, which constitutes a personal or family secret.
For companies providing the financial sector, it is important to strike a balance between business requirements and compliance with the law, for example, to make the service convenient for the user, while not collecting unnecessary personal data.
Contact us: [email protected]