How to protect Hong Kong banks from information heist

By Tommi Lampila

With billions of dollars worth of transactions taking place across the globe every day, financial institutions are a goldmine for cyber-criminals, if their systems are breached.

According to the 2013 Data Breach Investigations Report by Version, 76% of incidents were the result of weak or stolen credentials. Secure Shell keys, a cryptographic private and public key-pair that is used to prove the user’s identity, are a commonly used credential for system administration and critical data transactions.

Traditionally, banks use Secure Shell keys to transfer massive amounts of sensitive financial and business information, including credit card numbers, personally identifiable data and account information.

From the perspective of an attacker or malicious insider, Secure Shell is an artery that carries data linked to the money itself – making the exposures created by mismanagement of Secure Shell keys an attractive target.

Challenge: manual control of keys
Having thousands to millions of these keys is common for the majority of banks worldwide including Hong Kong. However, most banks are still using manual processes for generating, configuring and deploying the Secure Shell keys.

Over time, this results in the uncontrolled proliferation of authentication keys, with little to no visibility into what each key does. A malicious actor, that gains access to a private key, can mimic an authorized user and access sensitive information with impunity.

After a study was performed on the management operations of some of the largest financial organisations in the world, a disturbing trend appeared. About 10 percent of all Secure Shell user keys provide privileged user access. In some instances, bank administrators have permission to create or delete Secure Shell user keys without approval – basically issuing uncontrolled access to systems and people, and creating a major security issue in direct violation of compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley Act (SOX), and Monetary Authority of Singapore (MAS).

Case study: Auditor advised proper key management to a global top 5 bank
A Top 5 Global Bank, with 10,000+ servers, has been using over 1 million Secure Shell keys for driving thousands of mission critical transactions and banking operations every day.

An external audit found 150,000 keys that had privileged access in unknown status. The bank violated compliance mandates such as MAS and SOX; and even more seriously, the unmanaged authentication system created an existential threat to the organisation itself.

The security auditors raised attention to the risk and compliance issues stemming from lack of governance over the user keys. To fully address the issue and meet the compliance standards, the bank made the commitment to deploy an automated key management system in their network environments.

Key Management Best Practices
Financial institutions should immediately discover all existing key-pairs and map the trust relationships between machines and users. Then they should start to automate key setups and key removals, thereby eliminating manual work and human error.

This step reduces the number of administrators needed for key setups to a few highly trusted administrators. Last but not least, the management should enforce proper policies for approvals of all key setups.

Today a considerable portion of the global financial institutes, Fortune 500 and many major government agencies continue to operate out of compliance, and are unknowingly facing major security threats from hackers or rogue employees.

Best practices, such as the ones identified above, will position your bank to prepare for security threats and new compliance mandates before they occur.

In addition to IT involvement, executive management needs to step-in to protect the company from neglecting any compliance regulations that could bring about liability for the organisation.

Join Hong Kong Business community
Since you're here...

...there are many ways you can work with us to advertise your company and connect to your customers. Our team can help you dight and create an advertising campaign, in print and digital, on this website and in print magazine.

We can also organize a real life or digital event for you and find thought leader speakers as well as industry leaders, who could be your potential partners, to join the event. We also run some awards programmes which give you an opportunity to be recognized for your achievements during the year and you can join this as a participant or a sponsor.

Let us help you drive your business forward with a good partnership!

Top News

AAHK signs $4.62b agreement to acquire Zhuhai Airport
Secretary for Transport & Logistics Lam Sai-hun witnessed the signing ceremony.
Aviation
Gov’t extends judiciary e-Appointment services
This will enable users to apply for self-bankruptcy petitions and probate applications online.
InvestHK opens office in Cairo
This is part of its effort to attract companies from MENA.
Hong Kong top court affirms same-sex spouses' housing rights
Two judicial reviews concerned rights under public rental housing and the Home Ownership Scheme.
Healthcare

Exclusives

Hong Kong Residency rule could boost office sector
The ultra-rich are also expected to set up family offices in the city.
Allegrow Biotech engineers technology to activate immune cells
The startup’s invention can be used to treat and potentially cure diseases like cancer.
Healthcare
Renminbi rise to fuel Bank of China HK’s growth
The lender expects the currency to be used more often in cross-border deals.