Cyber Risk and Solutions Day

“Hong Kong’s banking and financial sector has made tremendous progress with initiatives intended to prepare for and respond to the threats of cybercrime. We want to raise industry awareness and standard of cybersecurity risk and solutions, and connect and recognise talents. This is very important for HKIB to build a platform for our members and the industry to get together to share insights,” said Carrie Leung, CEO, The Hong Kong Institute of Bankers (HKIB) at the opening of the Cyber Risk and Solutions Day.

Organised by HKIB, with Singtel as title sponsor, the full-day event in Hong Kong saw security experts and providers share their thoughts and strategies on how financial institutions can boost their cyber resilience and readiness.

There were also two panel discussions focusing on the state of cyber security in the banking industry, including the role of the Cyber Resilience Assessment Framework (C-RAF) in helping banks prepare against new security risks and challenges, and the importance of the newly established Cyber Intelligence Sharing Platform (CISP) platform in cyber defence. These are components of Hong Kong Monetary Authority’s (HKMA) Cybersecurity Fortification Initiative (CFI).

What does the cyber security situation look like when it comes to public-facing websites, which have evolved to become a vital component of banks and financial institutions? According to Michael Smith, Chief Technology Officer, Security, APJ, Akamai Technologies, the frequency of distributed denial-of-service (DDoS) attacks is increasing.

“Attackers are learning how to use the minimum amount of bandwidth they need to knock the target offline. The ability to build attack [botnets] is getting easier, and if you use something like compromised web servers, you don’t need as many of them to launch an attack,” he said.

And modern DDoS attacks do not always use the blunt approach of overwhelming a victim with spurious requests. Smith pointed to the DNS-based random subdomain attack to illustrate how a victim’s DNS server can be inundated with requests to non-existent hostnames. These requests would appear as legitimate queries, making them hard to detect, and could be amplified through a botnet for devastating effectiveness, he said.

In the face of a plethora of successful cyber attacks against organisations and financial institutions, David Mclinton, Head, Asia Pacific Operations, Cyber Security, Singtel noted that organisations have no choice but to constantly invest in their security efforts and stay on their guard against new threats.

Mclinton shared statistics about the threats currently faced by financial institutions: “205 days is the average it takes before you detect something is wrong with your systems. [And] if you deploy a red team, it takes about three days before they gain [administrator] access to your network.”

If you jingle enough door handles, you will find a door that opens eventually, he said of the mindset of cybercriminals. Moreover, their use of automated attack tools takes away the tedium and allows attacks to be simultaneously launched against multiple targets.

If there is one stance that organisations should adopt, then it would be the realisation that traditional defences and methods are no longer adequate. “100 percent of the victims we see today have antivirus software installed and firewalls in place – but they still suffer a breach,” said Mclinton.

This explains Singtel’s heavy investment to keep ahead on the cyber security front, with 12 engineering centres and nine security operation centres across the globe, on top of research and development facilities and a cyber security institute.

So how can organisations boost their cyber resilience in the face of a constantly changing threat landscape? Serene Siow, Regional Director, Asia Pacific & Japan, BitSight Technologies suggested that organisations do a mental “gear change” and consider evaluating their security from the outside.

“On average, 89 different vendors connect to a company’s network on a weekly basis. Third party risks are more prevalent than ever, and is becoming a problem that we cannot ignore. What happens in the other person’s house is now beginning to affect your own backyard,” she explained.

And the hyperconnected nature of today’s digital ecosystem means businesses cannot simply shut off their networks. The alternative is to increase one’s cyber security posture through a vendor management risk programme to validate all third-party organisations with a direct connection to one’s network, be it customers, vendors, contractors or subsidiaries, said Siow.

On his part, Michael Lam, Systems Engineer, Palo Alto Networks observed that automation is a crucial feature that could make all the difference between being able to stop a new threat in its tracks and succumbing to a cyber attack.

“A security system that can block [known] attacks doesn’t equate to an ability to prevent new threats. Even if it has the capability to learn new threats, if it cannot be [applied] automatically, it’s useless,” said Lam, who talked about the role of the network in detecting or remediating a cyber attack.

“Most people don’t have visibility into their network, though they may see a lot of IP addresses [and] a lot of port numbers,” he said, though he was quick to note that access to detailed network logs is an important first step. However, this becomes truly useful only when paired with the ability to correlate the data points to draw meaningful conclusions and insights.

The importance of identifying and stopping malware at end-point nodes should not be overlooked either, according to Ivan Lee, Senior Advisory Sales Engineer, Asia, CounterTack. The rationale: Even the most sophisticated malware must run from memory, giving defenders the opportunity to thwart them by monitoring the behaviour of individual processes and in-memory behaviour.

“We want the intelligence that is non signature-based to detect threats [on the cusp] of performing an unsanctioned action,” said Lee.

Also known as red teaming, iCAST is an intelligence-led cyber-attack simulation testing touted as being more advanced than a standard vulnerability assessment or penetration testing. Because iCAST was designed to simulate how real attackers work, this means a minimum of scope limitations, a longer time frame, and more advanced resources that are used typically, said Gianarakis.

“Red teaming in threat intelligence is an assessment of an organisation’s resilience to realistic threats and attack scenarios. It tests an organisation’s ability to resist, detect, respond, and recover from realistic attack scenarios,” he explained. “It is not about offence, but about how well you can resist and recover from these attacks; it is about assessing your capability to do so.”

An iCAST assessment is only performed by organisations that are more mature in their security posture and conforms to a minimal baseline. Crucially, the requirement for it to be conducted in a realistic environment means that they are often performed on production systems.

“Red team engagements are almost always performed on production systems. It is done in the environment that attackers target, as the purpose of the whole exercise is to simulate attackers,” said Gianarakis.

Safety and governance are paramount when performing red teaming engagements to ensure that day-to-day operations are not impacted. While overspill may occur, this should be limited and care must be taken to ensure that security vulnerabilities are not inadvertently introduced through an iCAST assessment, he said.

Gianarakis cautioned that some security vendors may not have the capability to create the custom tools required to target and exploit specific environments in an iCAST assessment. This may be replaced with generic toolsets or even outsourced, he observed, alluding to the benefits of working with more established vendors.

Envisioned as a neutral platform for the sharing of security intelligence, Scottie Tse, Principal Engineer, ASTRI Security Lab, Hong Kong Applied Science and Technology Research Institute Company Limited, shared that banks could benefit from the CISP.

Available since late last year, Tse shared how the CISP platform allows for data, information and intelligence related to cyber threats to be centrally compiled and shared among authorised users for the benefit of all participants.

Having a central repository is not without its own set of challenges though. Tse observed that some security vendors prefer to sell the intelligence to the banks individually, and declined sharing through the platform.

For now, efforts are being made to enrich the data collected on the CISP platform with broader collaboration with the industry and commercial firms from mainland China and other countries. Tse also spoke of plans to further enhance the repository by tapping into community efforts through organisations such as ISACA, an international professional association focused on IT governance with chapters in most countries around the world.

A secure environment is not something that happens by chance or accident, said Dr. Henry Chang, Senior Manager, Fintech Facilitation Office, HKMA.

That financial institutions in Hong Kong have emerged unscathed from recent waves of cyber attacks that plagued organisations is a credit to the efforts of cyber security experts in Hong Kong, he said. In a nutshell, much work remains to be done, and complacency is not an option.