Taher Ahmed Chowdhury, the Deputy Managing Director of Islami Bank, is a 30 years experienced personality in field of IT and is therefore also the Head of Information & Communication of this bank. He has also played the role of Executive Vice President & CIO of first security of Islami Bank.
Mr. Taher Ahmed Chowdhury’s resume reveals that apart from completing MBA from IIUC, he have also mastered the International Project Managing from AAPM, USA, after which he finally mastered in Information Technology from Institute of IT from Jahangirnagar university. He, for the quest of knowledge, has also earned professional/global online certifications on MCP, MCSE and CCNA from Microsoft & Cisco, USA. Recently he has received CISSO (Certified information Systems Security Officer)from Miles2 of USA. The fact is, he is the only head of ICT in banking industry who have earned this prestigious online certification.
With such high qualifications in the field of IT, in 1986, he started his career as the Hardware Engineer of Beximco Computers Ltd.; which was the first IT Company of Bangladesh. After sometimes, he took a break from Beximco and joined as a Radio Electronic Instructor in the Marine Academy of Chittagong (under Ministry of Shipping) in 1993. However, he joined back Beximco in 2000 as the Senior Network Engineer. After a while during the period of 2002, he became the Senior Faculty & System In-charge of BRAC IBM-ACE & BRAC BITI. Nevertheless, he went back to Beximco; but this time as a Manager Technical of Training & Services in 2005. Later after a certain time, he finally shifted his career to banking and joined as the Assistant Vice President of IT division of IFIC Bank. He worked there before he finally became a part of Islami bank.
In our previous issue of Fintech, an introductory part of Taher Ahmed Chowdhury’s (the Deputy Managing Director of IT, Islami Bank) guidebook on “Executive leadership of cyber security” was published where a brief description on cyber security and its first core function was being discussed.
According to his guidebook, there are five core functions of cyber security; namely- Identify, protect, detect, respond and recover. Among these, the first core cyber security function, “Identify” and its sub elements were discussed in the previous issue.
In this issue, Fintech publishes his thought on the second core function of cyber security-“Protect and its elements”.
Once you have identified your bank’s threats, vulnerabilities, and risks, the next core cyber security function is to ensure your financial institution has the appropriate safeguards or controls in place to mitigate the various types of threats to your bank. This is vital as your bank’s protection measures are the “front lines” of defense in securing your information and crown jewels. These protection measures work to limit or contain the impact of a cyber security event or incident.
Financial institutions should develop and implement security measures to reliably authenticate customers accessing financial services via a bank’s website. The Federal Financial Institutions Examinations Council (FFIEC) issued guidance in 2005 that highlights the importance of multifactor authentication for financial institutions with Internet-based services. In the guidance, the FFIEC states that single-factor authentication, as the only control mechanism, is inadequate for high risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions are advised to implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risks.
Identify and separate your most sensitive and critical information assets, such as your crown jewels, from less sensitive assets and establish multiple layers of security to access these critical information assets. In several high-profile breaches in recent years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data. Separating your crown jewels from less sensitive assets provides mitigation against data compromise. Establish a process to track, control, prevent, correct, and secure access to your crown jewels and other assets, and decide which employees have a need and right to access these information assets. By controlling access to network resources, you can restrict unhealthy or misconfigured network clients from gaining entrance. If you place your resources in a shared cloud infrastructure, the provider must have a means of preventing inadvertent access.
The loss of control over protected or sensitive data is a serious threat to business operations and a potential threat to national security. Protect your bank’s data by using data loss prevention techniques. Not only is this a Top 20 Critical Security Control, banking regulators have issued regulations and supervisory guidance emphasizing the obligation of financial institutions to protect customer information. Interagency security guidelines implementing sections of the Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act of 2003 state financial institutions must:
• Develop and maintain an effective information security program tailored to the complexity of its operations; and Require, by contract, service providers that have access to its customer information to take appropriate steps to protect the security and confidentiality of this information.
Protect your bank’s critical information assets by using data encryption tools. Data encryption tools are used to protect sensitive data in transit over communications networks or at rest in storage. These tools should be considered your first line of defense from cyber threats. Keep in mind, however, that even when encryption is used, there is always the risk that a sophisticated hacker can exploit vulnerabilities in the encryption algorithm or attack underlying processes and protocols.
If your bank provides a wireless network for customers in your physical branches or offices, ensure that the public network is separate from the bank’s private network and that all staff-connected devices with critical data are connected solely to the private network. Make sure that your private network is secure, and make sure Internet-connected devices to the private network have the appropriate antivirus and anti-malware protections in place. Additionally, talk with your IT manager or your vendor about protection for all pages on your public-facing website and mobile apps, not just the login portal. Vulnerabilities can occur through web pages and access points that do not seem to be vulnerable at first glance.
Finally, talk with your regulator about best practices for securing sensitive data. Many federal and state regulatory authorities now proactively engage financial institutions about their cyber security preparedness and may have time-sensitive resources for you to use.
Secure Configurations for Hardware and Software Systems
Ensure your IT staff has established, implemented, and is actively managing (tracking, reporting on, correcting) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared to ease-of-deployment and ease-of-use, not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unneeded software can all be exploitable in their default state.
The Council on Cyber Security’s recommended practices for securing configurations of hardware and software include:
• Establishing the use of standard secure configurations for your operating systems, ensuring to remove all unnecessary accounts, and disabling or removing unnecessary services.
• Implementing automated patching tools and processes for both applications and operating system software.
• Limiting administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration. The Council on Cyber Security also recommends that instead of starting from scratch, start from publicly developed and supported security benchmarks, security guides, or checklists. Some resources include the Center for Internet Security Benchmarks.
Perimeter Protection with a Firewall
A firewall is one of the most common tools used today to protect small and large businesses from intruders. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted. This is often referred to as “protecting the edge.” A firewall examines electronic data coming in or out of a network (or computer) and compares each piece of data to the security parameters it has been given. If it matches the rules, it is allowed to pass. If not, it is blocked and the system administrator is notified. In other words, firewalls provide broader protection against outside attackers by shielding your computer or network from malicious or unnecessary Internet traffic.
A firewall can either be software-based or hardware-based. According to the USCERT, hardware-based firewalls are particularly useful for protecting multiple computers, but also offer a high degree of protection for a single computer. One advantage hardware-based firewalls have over software-based firewalls is that hardware-based firewalls are separate devices running their own operating systems. This way they provide an additional line of defense against attacks. The drawback to hardware-based firewalls is the additional cost, but there are many available for less than $100. Software-based firewalls come built-in to some operating systems. The advantage of software-based firewalls is you can obtain one for relatively little or no cost.
Because of the risks associated with downloading software from the Internet onto an unprotected computer, it is best to install the firewall from a CD or DVD. The disadvantage to a software firewall is that it is located on the same computer as the information you’re trying to protect. This does provide some protection, but being located on the same computer may hinder the firewall’s ability to catch malicious traffic before it enters your system.
Always remember that firewalls alone will not give you complete protection from cyber threats. However, using a firewall in conjunction with other protective measures and practices (such as anti-virus software and “safe” cyber hygiene) will strengthen your resistance to attacks.