Security is the most uttered word in the community of IT Heads of most of the organizations in the world. We can site its proof from the Cyber security threat report 2017 by IMPERVA. It is reported that around 79% organizations have been attempted to be hacked. However, the banking and financial industry is most targeted place where attackers can steal money very easily due to security loopholes in their IT infrastructure. In Bangladesh, stealing of money through the compromise of SWIFT network of Bangladesh Bank in 2016 has shaken the whole nation. The stealing of money from ATMs of various banks in Bangladesh in the same year has added fuel to the fire. Under such a situation, the IT Head of various banks are worst sufferer of anxiety due to the fact that they have neither experienced manpower nor have adequate budget to buy protective solution. Whenever they propose something to the Board to secure their IT infrastructure, they are asked an embarrassing question by the Board “has anything happened in our network of our bank?” The Board thinks that some mishap has happened in their network. Under such circumstance, we may adopt a different approach to motivate the Board to allocate resources.
Every Bank has a Risk Management Committee of the Board and another Risk Management Committee of the Bank and a community of managers and divisional heads. We can target these groups to obtain support for budget allocation from the Board. In every month, we may prepare a report on security breaches from various international sources and circulate it to all managers and Heads of various Divisions to create awareness and to establish the fact that we need a robust security system without which we may fall in trouble. We may present a demonstration in executive development program of our bank and may show the whole network infrastructure of our bank and may show the various windows of loopholes at various places of our network through which breach of security may happen.
We may also place a memo to the Management Committee and Risk Management Committee in order to invigorate them so that they can raise their voice in the Board for obtaining resource approval. We can also give a presentation to the Board about the latest cyber security landscape and our lapses to fight with it. We have to give emphasis on the fact that we have to establish a cyber defense system comprising an expert team and adequate security solutions over a period of time matching with the need to fight against latest vulnerabilities. All these efforts are only for obtaining resource allocation. But we have to be careful about proper strategic planning for IT security. We have to allocate some time everyday to study on this subject and if possible we have to participate in various seminar and training program specially designed for IT security organized by various international organizations to educate ourselves. If we can afford, we may take the help of reputed IT security professionals to prepare a strategic IT security plan. Once the plan and the manpower are approved by the Board, we may form a team to be dedicated for this purpose. As IT Security and Cyber security are the special type of job like commandos to rescue people from the hands of the terrorists, they should be most dedicated and the team should have adequate knowledge in networking, Database Management, Application Administration and IT security etc. They should be given proper guidance on what to do. If possible, we may select their team leader who have CEH, CISA, CISM etc. certifications. If they do not have these certificates, then we may identify some brilliant officers from the existing team and may encourage them to obtain these certificates. We may convince management to bear the cost of training and certification of these professional certifications. We may approve a budget for such type of training for both home and abroad in every year.
Now, how should we progress in term of achieving a secure network? The first thing we should emphasize on creating awareness among the employees. We should conduct such awareness program for all employees and we should clearly educate them about their expected behavior and initiatives to establish a secure network.
Next, we see that Bangladesh Bank has issued a letter to all banks in March 2016 to establish a Security Operation Center (SOC) that will operate in 24 hours. In order to comply the guidelines of this letter, we should prepare a SOC room with access control and video recording of the whole room and start with engaging one person in three shift shifts for monitoring security events from various sources. We may provide them some tools to monitor the alert/system logs of Web server, Application server and Database server initially and gradually they may be given some advanced tools to co-relate these logs with others sources like network devices, security devices to identify and block a malicious attempt of access into the network.
Now, we may set a target that in every month, the IT security team will be doing at least one complete task regarding securing the IT infrastructure. We assume that
we have prepared our IT policy and security guideline as per the latest guideline of Bangladesh Bank.
Before we start working on finding out the loopholes in every device or system, we have to fix the responsibility of every system. Every system must be owned by one particular officer. He should understand that all kind of secure configuration and secure measures for the devices and the Applications under his/her control should be taken by him/her. Now, a security team may prepare a checklist of secure configuration of a system from the Internet and may the audit the existing system configuration and may easily identify the deviations from the best practice. These deviations may be informed to the system owner who will change the configuration to conform to the best practices. All these activities should be done officially and a report should be preserved by IT Head to keep a proof that secure configuration management are being done. This activity should be repeated once an existing system is upgraded or an existing configuration is changed. Taking these initiatives, we may establish secure configuration for Switch, Router, OS, Database, Firewall, Application etc.
These are some of the initial measures we may take and some advanced measures may be discussed in subsequent issues of this magazine.