By James Ward, Senior Cyber Consultant at MASS
The finance sector is typically more developed than others when it comes to implementing security measures. This is partly due to it being targeted by a diverse range of threat actors who are some of the most advanced, and also because the threat is so great – even the smallest breach has the potential for significant impact monetarily, or on market reputation, perception or confidence.
Ideally, an organisation’s critical assets should be surrounded by layer upon layer of security measures, all working together so that if one layer is removed or breached, the business’ most valuable assets are not compromised. Too often however, organisations take a siloed approach to security – viewing physical, cyber and personnel security as separate entities, where in fact they are more inter-related than many imagine.
It’s therefore vitally important that security measures are considered holistically and are led and understood by senior management, otherwise gaps for exploitation can be found by intelligent and experienced actors, supported by an ever-growing arsenal of exploitation technology.
Based on the approach MASS takes with public sector and defence organisations, we’ll now consider the security measures which should combine as part of a holistic approach.
It might seem obvious, but the first and fundamental consideration should be physical access to a site. For all organisations, this step remains vital – even in the finance industry where physical security principles have long been established.
You should consider the basic question of how an intruder could gain access, starting by reviewing the ‘perimeter’ controls. Indeed, organisations should even question what their perimeter is. With the potential for distributed site facilities, linked remote assets, and supply chain dependencies, this simple question must be answered.
To define where a ‘perimeter’ really lies, the use of scenario-based analysis, threat actor personas, motivations and objectives can be useful. It’s also an invaluable methodology for exposing how an organisation could be exploited.
The physical security stage should also involve a review of physical controls such as fencing, access technology, CCTV coverage etc., including their role in the deterrence and detection of hostile reconnaissance activities. Disrupting the planning cycle of attacks is often overlooked relative to direct prevention of unauthorised access.
That being said, security measures can only be as effective as the people applying them, so an understanding of human behaviours is essential. It’s important to consider how people’s actions affect overall site security and to question why these actions occur.
Simple mistakes like staff wearing security badges in the street could lead to unforeseen issues while poor motivation or effectiveness of roving security staff or those monitoring CCTV may also cause warning signs to be missed, demonstrating that innocent human mistakes could form the seed of future security breaches.
The finance sector’s cyber resilience has advanced considerably, as it’s adapted to threats over the years. But the evolution of the finance industry itself poses new challenges; businesses range considerably in size and new forms of financial transactions provide new opportunities for cyber exploitation. Exploitation toolsets and associated managed services are now more readily available at a lower cost, reducing the financial and technical barriers to advanced cyber-attacks.
The levels of cyber security in the financial sector must be retained, taken to a new level, and existing assumptions continually challenged.
For example, penetration testing regimes are a vital tool in mitigating network cyber risk (including ‘CBEST’ which has been widely rolled out across the finance sector) but have limitations given they are just a snapshot in time. They offer us a valuable depth of analysis within a network but can be constrained in breadth of scope and potentially leave vulnerability blind spots. Very frequent, lighter-touch cyber assessments can fill this gap as they offer a more dynamic view of ongoing vulnerabilities over a wider proportion of the estate, which could represent ‘low hanging fruit’ for the cyber actor. Assessments can be enhanced by applying modern threat intelligence techniques to rapidly identify existing compromises and potential weaknesses (including personnel and corporate digital footprint). This establishes a picture of cyber posture and vulnerabilities before any testing taking place.
End-user device security is also often viewed in terms of its encryption strength, keys etc. Modern methods of fault injection attack (a device’s response to artificially applied ‘fault conditions’ used to derive security credentials), though are able to bypass these assumed security measures, whereas it would take decades to ‘crack’ using more traditional computer power. This means it becomes important to test a device’s vulnerability to fault injection, rather than falling back on the old assumptions for protection.
To take a holistic view, it’s also important to examine the wider supply chain. The finance sector relies heavily on a network of suppliers of digital telecommunications and energy services, and when a network this complex is interconnected, it’s challenging to pinpoint cyber resilience risks. However, identifying ‘hot-spot’ concentrations of dependencies that represent single-point failures within the complexity of the overall business can allow you to filter the complex information and establish risk effectively.
The insider threat
Those who might misuse legitimate access to an organisation’s assets for unauthorised purposes are known as insiders and their threat is often overlooked when considering the overall cyber risk.
For those in the financial sector, personal financial gain could be a particular incentive to potential insiders, while security controls are now so effective that one of the only ways to circumvent them is for hostile actors to exploit those with legitimate access. It can help to think of insider threat as the ‘grand master skeleton key’ of security, as the right insider, or team of insiders can overcome almost all security measures. Security compromises involving insiders also tend to have a disproportionately high business impact.
Yet many organisations overlook insider risk, assuming that pre-employment screening is enough to deter employees and failing to recognise the wide range of risks from genuine human error, through to orchestrated insider activity by paid professionals. Insider cases are typically individuals who have been with an organisation for some years and could have had a personal vulnerability exploited or exposed, or simply become disgruntled with their employer.
It’s a broad area to address and can be more challenging to enforce than other security measures. Internal governance, security culture, employee wellbeing, employment measures, corporate digital footprint, and perceived employee sentiment are some of the aspects that should be considered. Once these internal factors have been addressed, organisations should then make the same assessment of their supply chains.
If the business is sufficiently committed to its security, structured analytical methods can quantify their maturity and assess where the key vulnerabilities and risks could lie. This extra level of understanding can enable improvement, and when it comes to security even small changes can make a big difference.
Consider your dependencies
It’s clear that security is a vast network comprising many different aspects and as such, if not considered collectively, some areas can fall through the cracks.
All businesses have particular dependencies which shouldn’t be overlooked. Your own environment may be protected, but if data is shared with suppliers or partners, is it still secure? If a supplier or partner has a security breach, does that affect your operation?
When assessing security measures, it’s essential to go an extra layer deeper and consider how a range of factors could impact your organisation and its readiness to respond to an incident.
At MASS, our security experts consist of professionals with extensive experience in preventing security breaches and performing assessments in accordance with Ministry of Defence processes, so that we can ensure our security analysis meets and exceeds industry best practice.
Why CMOs Should Care About Customer IAM
By Darshana Gunawardana, Associate Director/Architect at WSO2
The surge to move online in 2020, in turn, has driven demand for high-performance, cost-effective customer identity access management solutions. And as we kick off 2021, customer identity and access management (CIAM) have become essential for any business to really understand their customers which is why CMOs should actively engage with and care about their CIAM system. I say this because within the various stages of a customer’s buying journey, such as awareness, consideration, purchase and service, more often than not a CIAM is running in the background ensuring the right solution enhances their digital experience by providing significantly better onboarding, personalisation, omnichannel experiences, and privacy controls and building that all-important trust with the customer.
So, let’s take a look at how CIAM works and the benefits it provides in the various stages of the customer journey:
The awareness stage is the very first step where a customer interacts with a company’s brand. This is where customers get to know about the product or the service offered by the business, which may lead them to access the company website or content on other platforms such as social media.
At this stage, customer interactions typically occur at an anonymous level. Therefore, the involvement of a CIAM solution will be minimal as no identifying information is available. However, it’s important to make use of products such as web analytics to preserve customer interest, which can be beneficial at a later stage.
At the consideration stage, customers will have more focused needs and they will show more engagement by downloading datasheets, following product demos/trials, etc. Typically, one or two customer attributes are captured in the CIAM at this level. Depending on the prominence of the attributes, this would be the starting point of representing the customer as a light user account in the CIAM system. These accounts do not have any credentials associated with them since customers have not gone through an onboarding process.
At this level, the CIAM’s inbound and outbound provisioning capabilities play a key role. For example, a prospective customer downloads a catalogue from a product website by providing their email; then, the website would create a light account in the CIAM system using a standard provisioning protocol like SCIM. Next, the CIAM solution will (outbound) provision that user account to different marketing tools – for example, Hubspot, and CRM tools like Salesforce, or web analytics such as Mixpanel.
Likewise, the organisation might correlate the light account with web analytics. This helps to obtain more insights about users, such as geolocation and what type of content they looked at during the awareness stage. These details can be used to provide more relevant, personalised information in the future.
The purchase stage is the level that receives the most amount of attention from most organisations. Depending on laws and regulations, it will be crucial to have verified user details. However, it’s important to ensure that the customer registration and onboarding process is simple and user-friendly.
Minimising the mandatory information fields requested from a customer helps significantly. This can be done by auto-filling information that is already associated with the light account. Another way to do this is by using progressive profiling so that the customer has to provide additional details only when they access a specific service that requires these details.
Having to maintain many accounts and credentials is a major pain point from a customer’s perspective. The ability to bring your own ID (BYOID) to help simplify the registration process is important. This will also help to reduce self-service or call centre interactions in later stages as it will lessen the need of having to recover an account owing to misplaced or forgotten credential details.
Moreover, having direct integrations with identity verification services like Evident ID in the CIAM solution reduces the overhead of providing various documents or having to go through a manual process to verify customer information, such as proof of citizenship, insurance validity, and so on.
The service stage is also a key stage for many consumer businesses. The user experience at this level determines whether existing customers become champions or detractors for the brand.
From a CIAM standpoint, users should have seamless access to any product or service they consume. If there are multiple services involved, basic things like the ability to consume both services with the same account and having single sign-on among multiple applications have become must-have capabilities. Strong authentication with additional factors is also a need when accessing sensitive applications. In addition, adaptive authentication also plays a key role to balance convenience over security. Having mechanisms like account locking, and risk-based authentication gives more assurance to protect customers’ accounts from malicious parties.
This leads to another vital requirement: self-service. Customers should be able to update and review their privacy preferences, such as the use of different emails for different activities, change associated profile information, and update contact information. At the same time, a user should be able to adjust their security profile by configuring recovery mechanisms and register trusted devices for login. With the advancement of privacy regulations across the world, modern businesses must also give users data portability and the ability to deregister.
Additionally, during the service stage, a business might also go through changes, e.g., mergers and acquisitions of other brands, and these activities should not drastically impact the customer experience. The right CIAM solution can facilitate these moves in an incremental manner.
CIAM can even help initiatives such as loyalty programs, which aim to increase customer engagement. Loyal customers might opt for early access to new products and give more accurate feedback, which can be utilised in A/B testing for product or service changes.
As a CIAM solution is well connected with every system involving the customer, it enables organisations to generate enhanced and actionable behavioural data that can be used to predict and determine possible interests. Even during unprecedented times, this information helps to make better-informed decisions.
Enhancing the customer experience is at the heart of digital transformation. Today’s increasingly sophisticated customers view digital interactions as the primary mechanism to interact with products and services and, consequently, expect deeper online relationships delivered simply, securely, and seamlessly. CIAM plays a vital role in connecting applications and APIs to customers and provides all the capabilities needed to deliver a customer experience that is second to none.
Volkswagen faces EU fine for missing 2020 emissions targets
BERLIN (Reuters) – Volkswagen faces a fine of more than 100 million euros ($121 million) for missing EU targets on carbon dioxide (CO2) emissions from its 2020 passenger car fleet, the world’s largest carmaker said on Thursday.
It cut average CO2 emissions in the fleet in the European Union by around 20% to 99.8 g/km, but that was around 0.5 g/km above its target, Volkswagen said.
That implied EU fines amounting to a “very low triple-digit million amount”, a spokesman said.
European policymakers have clamped down on exhaust emissions, forcing carmakers to spur development of low-emission technology or face a penalty of 95 euros per gram of excess CO2 they emit.
“We narrowly missed the fleet target for 2020, thwarted by the COVID-19 pandemic,” CEO Herbert Diess said in a statement, adding he hoped to meet the target this year as the company’s main brands bring out new electric models.
Volkswagen is reducing the combustion-engined cars it offers and retooling more factories to build electric vehicles in an effort to keep up with electric carmaker Tesla.
It has said the EU’s more stringent emissions targets will force it to boost the proportion of hybrid and electric vehicles in its European car sales to 60% by 2030, up from a previous target of 40%.
Volkswagen admitted in 2015 to cheating emissions tests on diesel engines, a scandal which has cost it more than 30 billion euros ($33 billion) in regulatory fines and vehicle refits, mostly in the United States.
($1 = 0.8237 euros)
(Reporting by Jan Schwartz, writing by Emma Thomasson; editing by Jason Neely)
Oil dips after unexpected rise in U.S. crude stocks
By Ahmad Ghaddar
LONDON (Reuters) – Oil slipped on Thursday after industry data showed a surprise increase in U.S. crude inventories that revived pandemic-related demand concerns, but United States stimulus hopes limited the price downturn.
Brent crude futures fell 47 cents, or 0.8%, to $55.61 a barrel by 1030 GMT.
U.S. West Texas Intermediate (WTI) crude futures fell 43 cents, or 0.8%, to $52.88 a barrel, following two days of gains on expectations of massive COVID-19 relief spending under new U.S. President Joe Biden.
U.S. crude oil inventories rose 2.6 million barrels in the week to Jan. 15, according to data from industry group the American Petroleum Institute, compared with analysts’ forecasts in a Reuters poll for a 1.2 million barrel fall. [API/S]
Official Energy Information Administration (EIA) inventory data is due on Friday.
“If delayed EIA numbers tomorrow show a similar crude oil build, it would be the first build seen since early December,” analysts at bank ING said.
Rising COVID-19 cases in China, the world’s largest crude oil importer, also weighed on prices.
Beijing plans to impose strict COVID testing requirements during the Lunar New Year holiday season, when tens of millions of people are expected to travel, as it battles the worst wave of new infections since March 2020.
The commercial hub of Shanghai reported its first locally transmitted cases in two months on Thursday.
Elsewhere, new U.S. President Joe Biden’s administration has committed to curb carbon emissions and among his first actions as president, Biden announced America’s return to the Paris climate accord and revoked a permit for the Keystone XL oil pipeline project from Canada.
The administration is also committed to ending new oil and gas leasing on federal lands.
The administration will also seek to lengthen and strengthen the nuclear constraints on Iran through diplomacy and will be raising the issue in early talks with foreign counterparts and allies, according to the White House.
(Additional reporting by Sonali Paul in Melbourne and Koustav Samanta in Singapore. Editing by Jane Merriman)
SH Capital Ltd launches in Dubai to support SMEs with global banking services
Fintech provider to reconnect businesses with international banking services, digital treasury management solutions, risk management and cash investment products A...
Why CMOs Should Care About Customer IAM
By Darshana Gunawardana, Associate Director/Architect at WSO2 The surge to move online in 2020, in turn, has driven demand for...
Volkswagen faces EU fine for missing 2020 emissions targets
BERLIN (Reuters) – Volkswagen faces a fine of more than 100 million euros ($121 million) for missing EU targets on...
Ahli Bank, Oman, is SunTec’s 50th customer for its Indirect Taxation Solution
SunTec’s GCC VAT compliance solution to help Ahli Bank automate end-to-end VAT compliance process, manage regulatory changes, and seamlessly integrate...
Oil dips after unexpected rise in U.S. crude stocks
By Ahmad Ghaddar LONDON (Reuters) – Oil slipped on Thursday after industry data showed a surprise increase in U.S. crude...
UK factories see big drop in output ahead, supply problems too
LONDON (Reuters) – British manufacturers expect a sharp fall in output in the three months ahead and there were widespread...
Britain’s EG Group appoints Rose as non-executive chairman
LONDON (Reuters) – British convenience store and fuel retailer EG Group said on Thursday it had appointed Ocado Chairman Stuart...
Bitcoin slumps 10% as pullback from record continues
LONDON (Reuters) – Bitcoin slumped 10% on Thursday to a 10-day low of $31,977 as the world’s most popular cryptocurrency...
European firms improve diversity scores in pandemic year, study finds
By Aida Pelaez-Fernandez (Reuters) – The number of major European companies with high participation of women in leadership positions has...
Bank of Japan lifts next year’s growth forecast, saves ammunition as virus risks linger
By Leika Kihara and Tetsushi Kajimoto TOKYO (Reuters) – The Bank of Japan kept monetary policy steady on Thursday and...