The Banking, Financial Services, and Insurance (BFSI) sector faces increasing cybersecurity challenges, with threats ranging from phishing campaigns to bot attacks.
Shailendra Sahasrabudhe, the Country Manager for India, UAE, and South East Asia at Cymulate Ltd., in a candid conversation with Nisha Sharma from CIO&Leader, highlights the significance of multi-factor authentication, regular training and envisions the emerging role of AI in reshaping cybersecurity frameworks. Excerpts from the interview:
CIO&Leader: With the rise in bot attacks and phishing assaults on the BFSI sector, what immediate cybersecurity measures should banks and financial institutions prioritize?
Shailendra Sahasrabudhe: Training, testing, and multi-factor authentication (MFA). Providing security awareness training regularly (once a quarter or once a month, not once per year) allows for shorter sessions with more updated information – both more likely to be effectively taken on board by non-technical users. Testing of users is important, but testing compensating controls (such as firewalls and other web gateways) is equally necessary. MFA aids in blocking unauthorized login attempts when a threat actor does succeed in obtaining user credentials.
CIO&Leader: Given the pace of digital transformation in the BFSI sector, how is a balance between customer convenience and security achieved?
Shailendra Sahasrabudhe: Methods such as single sign-on technologies with adaptive authentication can increase customer satisfaction and enhance security. Customers have to log in less often when accessing multiple services, and systems recognize when login and other behavior is aberrant and should result in an identity challenge. This is just one example of increased security operations improving customer experiences.
CIO&Leader: In the context of the BFSI sector, which vulnerabilities are most frequently exploited by threat actors?
Shailendra Sahasrabudhe: While there are threat actors that target the BFSI sector, it is critically important not to view cybersecurity resilience as a defense against any set of specific vulnerabilities. Threat actors can and do change their tactics frequently, abandoning older vulnerabilities and adopting newer exploits – or even using older exploits instead of newer vulnerabilities. Attack Surface Management (ASM) is the better method to use. ASM looks at what vulnerabilities are visible and accessible to a threat actor by looking at the environment as they would look at it. This allows you to see the vulnerabilities most likely to be exploited, even if they are not currently utilized in the threat landscape – because they could become the most frequently utilized tomorrow.
CIO&Leader: How do you assess the readiness of Indian banks and financial institutions against the sophisticated cyber threats they face?
Shailendra Sahasrabudhe: With Indian banks embracing mobile and internet banking and adopting a hybrid cloud, they are witnessing an exponential rise in cyber threats. Hence, banks, as well as other financial institutions, have to assess their readiness against evolving threats. The approach includes validating all security controls to identify potential misconfigurations And Keep validating continuously. It is critical to ensure banks comply with regulatory requirements where comprehensive control validation is suggested as best practice. These organizations in the BFSI sector should not rely on outdated validation processes like VA and PT. However, they should adopt new strategies like breach attack simulation, continuous automated red team, and attack surface management to help identify and address the weaknesses across the IT infrastructure. Regular control validation can improve the organization’s maturity levels of cyber resilience. It is very crucial for these organizations to remain proactive.
CIO&Leader: With increasing attacks per application in the BFSI sector, is a particular area within the application landscape needing heightened security attention?
Shailendra Sahasrabudhe: Legacy applications. Over the last two years, significant successful attacks have been against outdated and legacy software and platforms. Two notable examples are ProxyShell and MOVEit. In both cases, older versions of the targeted platform (Exchange Server for ProxyShell and Progress Software’s MOVEit platform) could not be patched as the vendors no longer supported the outdated versions. This left hundreds of thousands of systems vulnerable to attack with no way to effectively defend against incursion.
CIO&Leader: How can BFSI institutions ensure that their employees and users are adequately educated about the rising threats, especially phishing attacks?
Shailendra Sahasrabudhe: Regular security awareness training is critical. Even “non-technical” employees are capable of using Outlook to get their email, so they can learn how to spot fraudulent and/or malicious emails, but the training has to be non-intrusive. Smaller, more frequent training sessions can accomplish this. Additionally, testing should be done in a way that allows the cybersecurity team to differentiate between a user who fails but has been trying to succeed and a user who is simply not trying to defend the organization. Monitoring the time between reading the email and interacting with a link or attachment, for example, shows who is really trying to determine if the link is legitimate before clicking on it versus a user who just clicks without thinking.
CIO&Leader: Can you elaborate on the process of creating customized attack scenarios? How can BFSI organizations leverage these for optimum results?
Shailendra Sahasrabudhe: Customized scenarios allow for the creation of attack simulations tailored to specific concerns – such as replicating the preferred techniques of a specific Advanced Persistent Threat (APT) group. They can also be very helpful in confirming that remediation for a specific issue was successful by re-running a specific sequence of techniques that were not detected/blocked in a previous assessment. With offensive testing professionals (either on-staff or through a partner), custom scenarios can allow organizations to gain an even higher level of cybersecurity resilience.
CIO&Leader: Continuous automated red team assessments are essential, but how can they be executed without disrupting daily operations in a BFSI setting?
Shailendra Sahasrabudhe: Continuous automated red teaming (CART) is a powerful methodology for testing real-world attack sequences. When performed by experienced offensive testing professionals who understand the environment that will be assessed, CART allows for the creation of custom attack scenarios that will not have an adverse impact on operations. In some cases, this may require isolated lab systems to ensure there are no production disruptions. It should be noted, however, that CART is only one tool that can be brought into use by an organization concerned about security validation. Breach and Attack Simulation (BAS) uses production-safe, pre-built attack scenarios that will be non-disruptive and non-destructive, allowing for flexible assessment operations by technology professionals at all levels of cybersecurity expertise in production environments.
CIO&Leader: How do you see the future of cybersecurity evolving, especially in sectors as critical as BFSI?
Shailendra Sahasrabudhe: Based on what is happening in multiple countries, new government regulations will begin to make cybersecurity more mandatory. The Securities and Exchange Commission (SEC) in the United States, for example, recently implemented new rules for organizations that require much more detailed disclosure of not only breach incidents but also what protocols and methodologies are being used to aid in cyber defense. This will push cybersecurity concerns into the business itself – at senior leadership and even the board level. Overall, such changes are a net positive, as they highlight that cybersecurity is a business issue, not only a technology issue.
CIO&Leader: What role do AI and machine learning play in both advancing cybersecurity measures and in the strategies used by cyber attackers?
Shailendra Sahasrabudhe: AI is an emergent component of both offensive and defensive cybersecurity. For offensive groups, AI can be used to create startlingly difficult-to-identify phishing emails and other forms of social engineering. Some early indicators exist that threat actors are beginning to use AI to create polymorphic malware, which can change and alter the malware itself each time it is launched in order to evade detection. On the defensive side, AI can allow for more complete custom scenarios by suggesting the best combination of tactics and techniques to simulate the actions of known threat actors. In time, AI will also be able to automate assessments safely, though that will not be viable for most likely two to four years from now as development continues. AI is also routinely used to identify malicious behaviors by EDR and XDR platforms, and this advanced and adaptive pattern recognition has led to amazing breakthroughs in detection accuracy. The future holds many possibilities for AI’s use in cybersecurity on both sides of the battle lines.
Image Source: Freepik