520 likes | 534 Views
Join us on June 25th, 2019, in Nairobi, Kenya, for a summit focusing on responsible finance and cyber security in the digital future. Discover real-life cases and recent attacks in the financial sector. Learn about innovative cyber security services and solutions for Sub-Saharan Africa.
E N D
Inclusive Digital Future A summit on Responsible Finance in Action Cyber Security for financial inclusion June 25th 2019 – Nairobi, Kenya Jean-Louis PERRIER jlperrier@suricatesolutions.com +352 691 613 163
Vision Supporting clients in Sub-Saharan Africa with innovative cyber security services and solutions • Created in 2015 in Luxembourg, Senegal, Côte d’Ivoire, Tunisia, soon Morocco • 3 Sectors: Financial Inclusion & Finance, Government, large corporations • 5 activities • Operational Security (supervision) • Governance, Risk Management, Security Assessment • Technical Audit, et Penetration Tests, Application Security • Security Infrastructure (IBM Business partner) • Training
Co-founderscomplementary skills with large experience of Africa Mehdi Azdabbaz Associate, MD Senegal Christophe Bianco CEO Jean-Louis Perrier Associate, Development BA Industrial Systems 30 years in Financial Systems and Electronic Banking in Africa Set up and ran ATM/ POS/ Electronic banking / Electronic banking security service affiliates in 12 countries Expert in Electronic Banking Security • MSc IT Engineering + MBA HEC • 20 Years of experience in Cyber Security in marketing, sales, CTO • Co-Founder and MD of Excellium Services (N°1 cyber security in Luxembourg, 130 experts, 15 M€ in 2018), present in Belgium, Morocco, Tunisia, • Part of SONAE Group (91 countries, 46.000 employees) cyber security division • Total > 600 experts, TOP5 European cyber security pure players • MSc IT Engineering + MBA HEC • 30 ans of expérience telecoms, IT, Financial services, distribution • CIO, MD, Fraud and security, Risk Management, Marketing & Business Development EMEA • Management of 50 persons 24x7 in MNO Fraud Operation Centre • Member of GSMA Fraud Forum
Recent attacksshow the cyber security situation is getting more critical • December 24th, 2019: 6PM : Intrusion in the Core Banking System of a large MFI in WAMU. Phishing to the CIO email granted systems access with privileged accounts! Fraudulent transactions immediately started and stopped quickly after being detected by Suricate security supervision • March 2019 : Intrusion in the Core Banking System of Banque de Dakar (Sénégal). Losses # € 0.5M. Accounts opened fraudulently with real IDs, then fraudulent large money transfers through an intrusion and withdrawal. 6 Nigerians and 1 Senegalese arrested by the Senegalese police, head of criminal organization and hackers still running. Intrusion undetected for several weeks. • March 2019 : Large Scale RansomWare attack (servers encrypted until a ransom in Bitcoin is paid) against an oil company, one of the largest companies in WAMU. • April 2019 : Large Scale RansomWare attack for one of the largest utilities in WAMU. Several tenth of servers infected, no IT for more than a week (email, invoicing, customer service, field operation). • May 2019 : Intrusion in in the Core Banking System ofSonibank CBS (Niger). Losses # € 0.5M.
Closer look at West African MFI incident • Tier II MFI, SME oriented, >20 years experience with good track record, no refinancing problem (yet) • Losses > 60 k€ in 2 months with fraudulent money transfers entered remotely on cashier’s workstations • Losses probably exceed fees earned in a couple of years and yearly net result • Money Transfer stopped in emergency =loss of fees • All providers : Wari, MoneyGram, Western Union, RIA • Transfers destination : Ivory Coast, Morocco, Guinea • Emergency audit & forensic investigations : critical, but typical, situation :Outgoing data transfers towards Ivory Coast and Yemen, management and employees notaware of information security risks , technical team not trained on security, poor token management (bank and MFI), unsecure passwords, inadequate allocation of privileged accounts, few computers protected with antivirus, and with obsolete signatures database, devices not updated (servers, PC, Firewall, ...), firewall wrongly configured, inadequate network architecture, inappropriate Internal controls, no operational security supervision, no cyber security Insurance, no Fraud clause in DFScontracts, ... • Basic Remote Access Trojan “NanoCore” undetected for 2 months, until the money from FSP arrives
1st Symantec review of large scale attack in West Africa • 5 countries affected • Same basic tools & techniques • 1 or several groups ? • 4 campaigns in 18 months • +2 similar attacks we spotted in Benin and Senegal Source https://www.symantec.com/blogs/threat-intelligence/african-financial-attacks
… attacking African banks is a trend that many industry experts saw coming. • Over the past two years… concerted efforts from different hacking crews, some of Russian and some of North Korean origin, that have focused on banks and financial institutions located in South East Asia, Eastern Europe, and South America. • …banks are targeted in these regions because there's a high chance that they have not all invested in their IT infrastructure and cyber-security measures. A poorly designed and unsupervised network makes attacks easier to carry out and hide for a long time… • Lacking from past reports …was Africa, which surprisingly hasn't been targeted until now, • The African financial sector's period of calm appears to be over. Source https://www.zdnet.com/article/west-african-banks-hit-by-multiple-hacking-waves-last-year/
Digital Financial Services : a key to financial inclusion … DFS security is a MUST DO & a PREREQUISITE FinancialInclusion Opex reduction Coverage expansion Digital Financial Services Open networks Value added services Customer Experience Increased regulation : risk management and customer data protection ICT Increased Lenders due diligences Reliability, Security, Trust
Cyber crime : things ain't what they used to be An explosive evolution, a reality in Africa, little assistance from Governments • Losses > € 500 B in 2014 (x9 in 9 years), 1 % of GNP • 400 M persons affected each year, 20% of Businesses. Yahoo, LinkedIn, Target, JP Morgan, NSA • 900 000 Malwares in 2015 (x3in 1 year) • Professionalization and internationalization of criminal organizations • In Russia alone, 20 to 30 organizations have the level to attack states. North Korea on the rise. • Europe : Russians & Ukrainian hacked 100 financial institutions in 10 countries, losses € 1Bn in 3 yrs • RansomwarePetya/NotPetya/Wannacry : Fedex $300M, Maersk $300M, Saint Gobain 220 M€, Reckitt Benckiser £11OM • Central Banks & Banks hacks through Swift network : Ecuador 12 M$, Bangladesh 81 M$, Nepal 4.4 M$, Mexico 15 M$, Taiwan 60 M$, Russia 6 M$, India 2 M$, Chile 10 M$ & 9500 PCs and Servers damaged • Coincheck : 500 M$ stolen in crypto-currency • AFI Alliance for Financial Inclusion : “cyber security may become a systemic risk for financial Inclusion” World Various sources, Suricate summary
Cyber crime : things ain't what they used to be An explosive evolution, a reality in Africa, little assistance from Governments • 330 M internet users, +30% pa • 200 M cyber attacks pa (+38%) • Losses > € 1B :€ 573 M South Af., € 500M Nigeria, € 39M Ivory Coast, € 36M Kenya, € 23M Senegal • 15 countries / 54 have a national security centre (West Africa : Ivory Coast, Burkina, Nigeria) • 2015 Ivory Coast : Moneytransfers hijack (+207%),mobile payment frauds (+74%) • 2016 Liberia : no internet for a week • 2017 West Africa MFI: € 60 k in 2 months on fraudulent money transfers • 2018 National Bank of Kenya : 0.25 to 0.6 M€ in 2 hours • 2017-2018 Banks in 5 West African countries • 2019 : 2 banks in Senegal & Niger with losses € 0.5 M to 1M • 2019 : West African Large utility stopped operations for 8 days after Ransomware attack Africa • Nomechanism to gather, analyze and report security incidents in the region : => Very few incidents are publicized Various sources, Suricate summary
Cyber crime : things ain't what they used to be An explosive evolution, a reality in Africa, little assistance from Governments • 2014 5 ministries : foreign affairs, interior, Official Journal, Sports, Social Protection and National Solidarity • 2014 Senegal customs (15% of GDP) • 2015 National IT Agency (ADIE), Ministry of Livestock and Animal Productions (MEPA) • 2015 Money transfert operator Jonijoni , Money express business continuity in question • 2015 Most big MFI and major money transfer operators, • 2016 No operations for 2 major banks for a day • 2017 CBAO €1.5 M, La Poste €1.5 M : ISO27001 & PCI DSS certification did not avoid intrusions, costly post hack security investments on inappropriate technologies • 2017 Largest money transfer operator : no operations for 3 days for “maintenance” ... in Dec • 2018 05 Most of Government internet services • 2019-01 BCEAO eludes €1,25 M cyber attack in 6 countries Senegal Various sources, Suricate summary
Serianu Africa Cyber security report 2017Survey 700 institutions from 12 sectors across West and East Africa, 5th Edition • Cost of Cyber Crime $3.5 B in 2017, +20% • $1 B for Nigeria, Kenya, Ghana, Tanzania, Uganda 40% 60% Source http://www.serianu.com/resources.html
Cyber crime insights • Consequences worsen AND frequency rises • Customer data losses (in a context of stronger regulation) • Financial losses : 80% money related (93% for Financial.Inst=> FINANCIAL INSTITUTIONS are MAJOR TARGETS • Denial of Service (34% of attacks) • A huge and evolving variety of modus operandi • 85% of attacks use 10 vulnerabilities within > 900 listed • >110.000 vulnerabilities (CVE) listed in 10 years • Tenth of attack models, of which 9 are related to 95% of cases. • Fast pace : 2017 : Ransomware, 2018 : Crypto Currency Mining • 80 % external intrusions, but FI should not forget internal intrusions • Poor detection : you can find only what you know • Reduced intrusion and data leakage time : few minutes for >80 % of cases • Long detection time : several weeks for >80 % of cases • INTRUSIONS DO HAPPEN : Ethical Hackers get administration rights in 95% of cases in about 10 days Source Verizon DBIR 2016
Cyber crime A complex landscape Source ENISA
CYBER CRISIS are (generally) not prepared whilst most probable event a company can face in it’s RISK MANAGEMENT Crisis Management and Cyber Resilience: procedures, detection and response systems, collaborations, communication, must have been thought out and tested upstream ... even if the reality will not (probably) match as expected=> Need to promote and build a collaborative environment https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret
Capacity building is a key issue 3.5 M security engineers missing worldwide • US employs 780,000 people in cybersecurity positions, 350,000 openings • India 1 M experts needed • 10.000 security professionals in Africa (Seryanu report) • Action plan to start between Government, Academics, Private and Public sector
Regulatory and legal frameworks are improving ... but still a long way to go • Budapest Convention on cyber crime (CoE 2001) • ECOWAS Directive C/DIR/1/08/11 du 19 août 2011 fight against cybercrime • African Convention on Cybersecurity and Personal Data Protection (Malabo, June 2014: only signed by 3 countries) • Several National cyber security strategy have been or are being established (eg Senegal (SNC2022) plans the setup of a National Cyber security agency and of a National CERT) • European General Data Protection Regulation (GDPR) applysince May 2018 to businesses that . Fines up to €20 M or 4 % of global turnover • … but international judicial cooperation is not up to the problem Budget national 4.000 milliards XOF (;-) Source PressAfrik.com 15/05/2018
Cyber Crime in the financial sector in Africa Financial Institutions Customers • Hackers targets shifts : data breaches to cash • Central banks are hacked • Banks are hacked • Financial Inclusion is hacked • Africa is hacked : in 2017 (*) • $3.5 B annual cost of cybercrime • x2 successful attacks against the financial sector • 39 % of losses hitting banks and electronic transactions • Smaller institutions are more at risk : the 4 largest US banks spend #$1.5B a year on cyber security , which is the yearly spending of Africa • Eruptive risk : from customer protection to systemic risks Data Financial Assets (*) source Africa Cyber Security Report 2017, Serianu
You cannot rely on norms, standards and certifications only You cannot rely on technology You cannot rely on networks operators’ security (*) You cannot trust devices security & App security (*) You cannot rely on your staff (*), and they are not enough You are not prepared to crisis management You should not wait for governments, police, justice, for an international issue Houston, we have a problem (*) CGAP Webinar Cybersecurity for mobile financial services, October 2018
ROUNDTABLE INTERNATIONAL STANDARD ISO/IEC 27002Information technology — Security techniques — Code of practice for information security controls
Why ISO27002 ? • Reference framework • selecting controls within the process of implementing an Information Security Management System (ISMS, ISO27001) • guidance document for organizations implementing commonly accepted information security controls. • Intended for use in developing industry- and organization-specific information security management guidelines, with their specific information security risk environment(s). • Comprehensive and (relatively) light : • Information Security Clauses (14) • Control Categories (35) • Controls (133) • 80 pages • Practical basis for audits, due diligences, maturity assessments, benchmarking, sectorial analysis
Roundtable organization • 20’, just a glance • 7 tables max • Designate a spokesman for each table • 5’ for ranking • 7x2’ pitch per table
Let’s playwhat is important, and where should we aim? • Example
Balanced Scorecard Sample, random data
Takeaways • Effective information Security • Reduces risks by protecting the organization against threats and vulnerabilities, and then reduces impacts to it’s assets. • Implementation of a set of controls, including policies, processes, procedures, organizational structures and software and hardware. • Holistic view of the organization’s information security risks, allowing risk based decision making. • The security that can be achieved through technical means is limited. • May be a Business enabler. • Requires • Support by all employees in the organization. • Participation from shareholders, suppliers or other external parties.
CA 98 % of budget spent on prevention ? See: IBM X-Force Threat Intelligence Index 2018
Please, move swiftly from cyber (un) security to cyber resilience!! Investments up to now New directions • Awareness • Simple Risk management • Supervision • Vulnerability scanning, pentesting, • Incident Response • Community building • Intelligence sharing • Crisis management Source Thalès 2017, Suricate Solutions analysis
Cyber Security for Financial InclusionSenegal Project • Feb. 2016 : Luxembourg Economic Mission allowed to meet all stakesholder (MFI, Fintechs, Professional associations, government, central bank, supervisor,...) • Diagnostic : Inclusive Finance is highly exposed to cybercrime, with limited resources to deal with it • Nov. 2016 : Project validated by Luxembourg Govt. & EIB • Bring together the best cyber security experts in Luxembourg • Provide long-term support to MFIs to enhance their security and capabilities • North South Public Private Partnership, • Apr. 2017 : Official launchwithsponsorshipfrom APSFD, DMF • Jul. 2017 : Start Proof of Concept • Jan. 2018 : Commercial launch
Prevention & remediation need a global expertise. CERTs are organized in an international network CERT COMPUTER EMERGENCY RESPONSE TEAM Source ENISA
Detection needs a real time 24x7 operational organisation CERT COMPUTER EMERGENCY RESPONSE TEAM LEVEL 3 SOC SECURITY OPERATION CENTER LEVEL 1 & 2 Source ENISA
CSOC: 4 key components for efficient response Security Intelligence Organisational Component • State of the Art performance • Proximity and local costs Technical Infrastructure Operational security team • 7 to 8 Security Analysts in Senegal • # 45 SOC – CERT experts in Luxembourg • Availability 24 x 7 • Initial and life long training • Coaching and skills development
Reference Technical & Financial partners 120 experts & consultants SOC Training, L2 & L3 support Security Awareness Security Assesment Risk Management Crisis Management / Room #42 MFIProfessional Association & institutions CERT.XLM Security Intelligence Network Funding(other countries) Research & Academic Funding(Senegal)
Cyber Security Operation Centre Based in Dakar - Senegal Regional & Continental reach Protection of customers & Private and public institutions Mutualized services to prevent, detect & mitigate attacks, improve compliance World Class technology, processes & security intelligence
A comprehensive set of continuous improvement security services to accompany institutions OLD TIMER START HERE • Security Supervision & Incidents Response: This core service is a 24x7 real time detection capability • Capacity building: Coaching, and technical support, Part time CISO, Awareness and cyber security training programs for management, technical teams, local offices and employees, • Information Security Risk Management: “Flash Diagnostic” Maturity assessment, MONARC Risk Management framework, Business Continuity, Penetration testing, Security Policies … • Intelligence sharing network to report and research incidents, identify attack models, share information, recommendations and best practices within the sector and with external parties, R&D on new tools and methods • At the start, we rely on 2 public and private Luxembourg CERTs, then • DevelopPanafrican Financial Inclusion CERT 2 or 3 SOC ? NOW START HERE 1 Panafrican CERT ?
Security Services : An answer for everyorganization Security & compliance Supervision Risk ManagementBusines Continuity Best Practices & Security Awareness Audit, pentest, Advisory (bespoke) Security Training Forensic Investigations Vulnerability Assessment Large Institutions >100 k cust. « Article 44 » in WAMU (11 MFI in Senegal)Reinforced regulation 90 % customers Medium Institutions CTISN MutualizedMFI Cloud Hosting Small Institutions + Comprehensive & FastTrack Roll Out
Conclusions • Let’s be pragmatic : the threats and attacks are there even if we do not measure well • Don’t translate 100 % locally overly sophisticated frameworks built for rich banks, prioritize on basics. Our top 4 • Awareness at MD level • Security Supervision KISS Keep It Simple Stupid, but based on strong cyber threat intelligence • Prepare recovery • Regulatory must do (eg Governance, pentest, ...) • Security should be embedded in every structure in the organization • You are not alone : Contribute to local, regional and continental sharing network • Central Banks have a leading role to promote cooperation, maybe even before regulation • We are there to help the financial community in the region
Cyber Security Risk Assessment and Awareness raising campaignin West and East Africa • Flash Diagnostic • Consultant assisted diagnostic (CA 1 man day/institution) • Maturity assessment and first level of individual recommendations. • Adapted from ISO27002 methodology and tools developed by the Cyber Security Competence Center of Luxembourg Government • SME oriented (including Micro Finance, Micro Insurance, DFS Provider, Fintech. • Suitable to extend funders’ Due Diligences • Cyber Security Awareness raising campaign • Designed with SmartCampaign, with inputs from SPTF Europe and ADA • Aims to share widely the results of the diagnostics and initiate a dialogue among different stakeholders. Data will include • Statistical data on the whole sample; • Key trends or insights at the country and sector level; • Qualitative data gathered through questionnaires; • Synthesis on recommendations and actions plans. • Intended sample size is 40 FSPs of different sizes (large or medium) • Funding still open (CA €55.000)
Looking for the future : African Cyber Security Resource Centre
Objectives • Replicate and expand our field experience from Dakar to the whole continent. • A joint proposal from Suricate Solutions, Luxembourg Government Cyber Security Centre, and Luxembourg UNIversity Cyber Security Research Centre SnT THINK BIG START SMALL MOVE FAST
General directions Goal: improve cyber security for financial inclusion institutions in Sub Saharan Africa in building & mobilizing a whole ecosystem with public and private actors. This requires a complex organization to efficiently address strategy, tactical and operational issues in 50 countries. Fast setup: rely on/reuse existing structures, ecosystems, know how, experiences Scalability: The organizational concept can be prototyped in a pilot form before rolling out in SSA, and later be expanded North Africa for financial inclusion Other FSP in Africa Other continents for financial inclusion Inspirations: two remarkable sector initiatives by their organization and longstanding capability to share intelligence and best practices ensuring appropriate confidentiality The FS-ISAC, Financial Services Information Sharing and Analysis Centre (*) https://www.fsisac.com/ The GSM Association’s FASG Fraud And Security Group https://www.gsma.com/aboutus/workinggroups/working-groups/fraud-security-group (*) the European Union EU FI-ISAC for Financial Sector is more dedicated to government bodies than FSP
Organizational concept based on 3 levels - Strategy : Regional Financial Inclusion ISAC Information Sharing Analysis Centre [independent organisation] • global coordination and partnerships, • funding (grants from donors, yearly membership depending on size of FSP) • strategic advisory for policy makers, • capacity building, crisis simulation room, awareness documents • R&D on malwares, tools and methods, • Reference CERT, in charge of Threat Intelligence Management (MISP) • More on ISACs https://www.enisa.europa.eu/publications/information-sharing-and-analysis-center-isacs-cooperative-models) Tactical : 3 Sub-regional CSIRT focus on Incident Response [private organisation] • West and Central Africa (francophone), West Africa (anglophone), East Africa (anglophone), • Each is Level 3 support for a cluster of SOC (detection, forensic, remediation, recovery, crisis management) • Advisory services (Security Strategies, Policies, Maturity assessment, Risk Management...) • Training • Pentesting, Application security, Operational : 3 or + sub-regional SOC (*), focus on detection [private organisation] • Detection, with 24x7 security monitoring, vulnerability scanning, • Proximity advisory services, armed wing of CERT in case a local intervention for forensic analysis • Ideally collocated with the CSIRT (*) or local in case volume or regulatory constraints
Functional chart (draft) Financial Management Board Advisory Board Africa Cyber Security Resource Centre Strategic Advisory Capacity Building Coordination & Partnerships Research Development Innovation Information Sharing & Analysis Centre Unit 1 Cyber Security Response Team Unit 2 Cyber Security Response Team Unit N Cyber Security Response Team CSIRT CSIRT CSIRT SOC 1 SOC 2 SOC 1 SOC 2 SOC 1 SOC 2 Advisory 1 Advisory 2 Advisory 1 Advisory 2 Advisory 1 Advisory 2