How to protect Hong Kong banks from information heist

With billions of dollars worth of transactions taking place across the globe every day, financial institutions are a goldmine for cyber-criminals, if their systems are breached.

According to the 2013 Data Breach Investigations Report by Version, 76% of incidents were the result of weak or stolen credentials. Secure Shell keys, a cryptographic private and public key-pair that is used to prove the user’s identity, are a commonly used credential for system administration and critical data transactions.

Traditionally, banks use Secure Shell keys to transfer massive amounts of sensitive financial and business information, including credit card numbers, personally identifiable data and account information.

From the perspective of an attacker or malicious insider, Secure Shell is an artery that carries data linked to the money itself – making the exposures created by mismanagement of Secure Shell keys an attractive target.

Challenge: manual control of keys
Having thousands to millions of these keys is common for the majority of banks worldwide including Hong Kong. However, most banks are still using manual processes for generating, configuring and deploying the Secure Shell keys.

Over time, this results in the uncontrolled proliferation of authentication keys, with little to no visibility into what each key does. A malicious actor, that gains access to a private key, can mimic an authorized user and access sensitive information with impunity.

After a study was performed on the management operations of some of the largest financial organisations in the world, a disturbing trend appeared. About 10 percent of all Secure Shell user keys provide privileged user access. In some instances, bank administrators have permission to create or delete Secure Shell user keys without approval – basically issuing uncontrolled access to systems and people, and creating a major security issue in direct violation of compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley Act (SOX), and Monetary Authority of Singapore (MAS).

Case study: Auditor advised proper key management to a global top 5 bank
A Top 5 Global Bank, with 10,000+ servers, has been using over 1 million Secure Shell keys for driving thousands of mission critical transactions and banking operations every day.

An external audit found 150,000 keys that had privileged access in unknown status. The bank violated compliance mandates such as MAS and SOX; and even more seriously, the unmanaged authentication system created an existential threat to the organisation itself.

The security auditors raised attention to the risk and compliance issues stemming from lack of governance over the user keys. To fully address the issue and meet the compliance standards, the bank made the commitment to deploy an automated key management system in their network environments.

Key Management Best Practices
Financial institutions should immediately discover all existing key-pairs and map the trust relationships between machines and users. Then they should start to automate key setups and key removals, thereby eliminating manual work and human error.

This step reduces the number of administrators needed for key setups to a few highly trusted administrators. Last but not least, the management should enforce proper policies for approvals of all key setups.

Today a considerable portion of the global financial institutes, Fortune 500 and many major government agencies continue to operate out of compliance, and are unknowingly facing major security threats from hackers or rogue employees.

Best practices, such as the ones identified above, will position your bank to prepare for security threats and new compliance mandates before they occur.

In addition to IT involvement, executive management needs to step-in to protect the company from neglecting any compliance regulations that could bring about liability for the organisation.