After the cyber heist in Central Bank, the security of the whole banking sector is put under scanner. SD Asia recently talked with Dr. Vilius Benetis. Dr Benetis is Is a senior consultant, focusing on securing digital environment capabilities development for organizations via changing behavior and automation. Benetis is a researcher in securing digital environments and a promoter of critical security controls for effective cyberdefense with 20 years of experience in the IT sector.
He is currently working with the Bangladesh Government for the implementation of National Computer Incident Response Team (CIRT) and Development of Information Security Policies, standards in Bangladesh
Tell us something about your current assignment in Bangladesh
The objective of this assignment is to establish the Gov. of Bangladesh’s information security program, and set program goals and priorities to support the government’s mission. It will also provide resources to set up a national Computer Incident Response Team (CIRT) to facilitate and support the program. The assignment has multiple components, including the drafting of policies, regulations, standards and guidelines. It will also propose a structure for the CIRT that is technically, financially, and operationally sustainable; provide trainings for the CIRT personnel; and assist the CIRT to establish relationships with other international/regional CIRTs.
What is CERT? Are there any differences between CSIRT and CERT?
CERT/CSIRT/CIRT are synonyms, with some minor mostly irrelevant differences. These teams have a particular processes, communities, and cooperation models, and trust in the community. CIRTs can be national/sectorial/company wide, depending on the need and setup. NRD CS have commercial CIRT, which helps organisations to set up own CIRTs and securely handle cybersecurity incidents on behalf and with customers.
What do you think is the condition of cyber security in financial sector and banking sector in Bangladesh? What are their main threats?
The only way for financial sector to be efficient and reliable in the World and in Bangladesh, is to be highly automated. That includes the automation of client service, and of internal operations. The automation is implementing through digitization.
Usage of digital services saves time of the customers, grows economies of countries, reduce physical dangers to people and organizations.
At the same time digitization is changing the threat and crime models. Instead of physical attack on banks, armed heists, criminals are benefiting from cyberattacks. This change has to be comprehended by banks and their clients, and it should come with the new skills and knowledge how to protect themselves.
The biggest risk for financial institutions and their clients are the missing proper knowledge on the new threats, how to use methodologies, technologies, and cyber-hygiene.
Is cyber security solution to banking industry expensive? If so, why? Do we have any open source option?
Cybersecurity costs must be adequate to the value of the protected assets. Due to the more assets moving to digital world, more investment is required. What is not so obvious, that hygiene is not expensive at all due to many tools existing (both commercial and open source). What costs most – the setup of appropriate processes and build required human skills.
You mentioned some of the problem of our Digital Security Act, like it doesn’t have the provision for a national internet security officer provision? Why do we need that position?
We were not commenting on Digital Security Act, as it is in Draft form and still being discussed. Yesterday we were not talking about Digital Security Act.
Does financial sector need a CIRT to monitor financial transaction security?
Organisations in financial sector should start from building own capability (Cybersecurity Incident Response Teams – CIRT/SOC), adjust processes, and then should cooperate in organized way with other national and regional CIRT teams to achieve the security of their assets and clients. Additionally organisations should focus on cybersecurity hygiene, adopting and implementing such practical frameworks like CIS Security Controls (https://www.cisecurity.org/critical-controls.cfm), which already benefited many organisations around the world, and which allow to be better compliant with sectorial regulation as PCI DSS.
How information security consultant like you can make sure that the breeches in a network could be traced?
We empower financial organisations to be able to secure and monitor their IT and banking systems, detect incidents and respond appropriately in order to reduce losses. It is done by the means of creating internal CIRTs – teams of incident handlers, who work according specific process.