Innovative Approaches to Enhance Digital Security

Transcription

1 Innovative Approaches to Enhance Digital Security 2014 Latin America Treasury & Finance Conference A Blueprint for a Digitally Connected Treasury Sabine McIntosh Global Head TTS Digital Security and Account Services sabine.mcintosh@citi.com +44 (20) Elizabeth Petrie Director Strategic Analysis elizabeth.petrie@citi.com +1 (202) Treasury and Trade Solutions

2 (B) Increase in Digital Banking Enhances Need for Cyber Security As business interactions move online, cyber threats are becoming more sophisticated and dangerous. Tremendous Growth of Online Interactions with each Click or Tap Leaving a Trail of Data Cyber Threat and Fraud are on the Rise with Significant Impacts on Business and the Economy 4x In 10 yrs 44x In 10 yrs Global Devices Connected to the Internet 60 50B 40 15B 20 5B Global Digital Data (In Exabytes) 40,000 20, $3 Trillion Estimated cyber attack fallout cost to global economy by $200+ Billion Estimated amount stolen from banks, financial institutions, companies and individuals, double the amount in Source: World Economic Forum, SWIFT. 1. McKinsey report: Risk and responsibility in a hyperconnected world: Implications for enterprises ; January The Guardian Report: Online fraud costs global economy many times more than $100 billion ; October

3 Increasing Sophistication The Changing Information Security Threat Landscape The cyber threat landscape continues to evolve as better organized and more sophisticated attackers have emerged. Organized crime and Nation States Highly organized and well funded Driven by the opportunity for financial or geopolitical gain Destructive adversaries with aim of disrupting economy Individual players Opportunistic and casual Driven by desire to prove they can Typically still individual players Premeditated and planned actions Driven by desire for financial gain Evolving Threats An Illustration of the Information Security Challenge Past Present Speed of Attack Target of Attack Value of Information Complexity of Business Model Sophistication of Techniques Availability of Tools Non real-time theft of passwords and confidential information Typically targets of opportunity Very variable hard to monetize without exposing the malicious actor Workforce primarily based in same geography as business and on payroll Moderately sophisticated adversaries seeking to exploit well known vulnerabilities Custom tools created by knowledgeable individuals to perform a specific attack Real time compromises of customer computers and communication channels Frequently specifically chosen high value targets Readily monetized in a sophisticated, secure, and anonymous underground economy Workforce increasingly cross border and outsourced Highly sophisticated supply chain to create or detect vulnerabilities and exploit tools, then sold to worker bees Malicious tools are commodity items readily available on the black market 3

4 Nature and Frequency of Attacks The amount of knowledge required to launch very sophisticated attacks is decreasing over time making these threats more severe each day. Recent attacks show increased knowledge and understanding of the technology, infrastructure and systems of their victims. Bad Actors are going after customers, suppliers, and third parties in addition to direct attacks. Intelligence, external and internal as well as shared knowledge across the industry and governments will be the most effective counter strategies. Attack Sophistication vs. Intruder Technical Knowledge High Required Intruder Knowledge Attack Sophistication Low Disabling audits Password cracking Self-replicating code Password guessing Back doors Burglaries Packet spoofing Sniffers Sweepers Hijacking sessions GUI Exploiting known vulnerabilities Denial of service Cross site scripting Stealth /advanced scanning techniques Automated probes/scans www attacks Coordinated DDOS Botnets Staged Distributed attack tools SQL Injections Tools Mobile Malware

5 Key Adversaries Cyber Criminals Motivation: Make Money. Methods: Very mature underground economy supporting every facet of cyber criminal activity. Cyber Terrorism Motivation: Instill fear so targets comply with demands or ideology. Methods: Using cyber to enable their programs (Recruit, Incite, Train, Plan and Finance). Underground forums allow these groups to easily acquire destructive capabilities. Hactivists Motivation: Seek publicity for their geopolitical agenda. Methods: Disruption and Defacement. State-Affiliated (Advanced Persistent Threat) Motivation: Political and technological advantage to improve self interests. Methods: Advanced operations to gain a foothold into a target s infrastructure. Once a foothold is established, the adversary performs reconnaissance and methodically plans their attack. APT actors often leave back doors to re-establish access to the target in case their primary means is identified and mitigated. 5

6 Understanding Information Security Risk Information Security Risk is determined based on strong assessment of the threats, known vulnerabilities and the assets involved. External Insecure Code and Applications Intellectual Property Nation State Cyber Terrorists Cyber Criminals Hacktivists Toxic Combinations/Over Entitlements Client Side Software Vulnerabilities Unauthorized Privileged User Access Corporate Data Credentials Financial Transactions Internal Privileged Users End Users Unencrypted Data Improper Configuration Management Network and Operating System Software Vulnerabilities 6

7 Threat Implications and Impact on Business The rise of the cyber threat has wide immediate business implications and significant impacts over the longterm. Immediate Implications for the Business Loss of data Corruption or destruction of data Unauthorized access Account takeovers Compromised systems and applications Impact on the Business Reputational loss Financial loss/fraud Regulatory compliance incidents and penalties Client loss Unavailability of services 7

8 Role of Intelligence Execution Intelligence must be an integral part of the decision making process. Intelligence is having the right information, at the right time, and in the hands of the right people. Intelligence is embedded in the day-to-day work, from the establishment of a customer relationship to the execution of any service. Capturing and understanding the knowledge of employees is the foundation of a successful Intelligence Program. Intelligence Cycle Analysis and Production Dissemination Processing and Exploitation Active Collaboratio n Requirements Collection Planning and Direction Output/Deliverables Inform operational planning and strategic decision-making Inventory of intelligence resources Identification of resource gaps, recommendations for remediation Centralized mechanism for ad hoc intelligence data Regular, frequent updates to senior management and key business stakeholders (e.g. dashboard-type, high-level briefing report) Intelligence-sharing and knowledge-sharing (lessons learned, etc.) Source: 2008 Federal Bureau of Investigation; 8

9 Intelligence Involves Forward-Looking Insights Client Customer Trends Technology Evolution Intelligence Government Regulatory Threat Landscape Industry Trends Third Party Risk Intelligence is built from a mosaic cutting across various views, which helps to identify emerging trends, make informed decisions and predict the next event. Intelligence has a short half-life. Security Activity Intelligence + = Context Defense Situational Awareness 9

10 A Multi-Layered Approach to Information Security Using talent, processes and technology to approach Information Security significantly reduces cyber vulnerabilities and the impact. Identity and Access Management (IAM) Pillars Data Protection Global ID Administration Privileged User Managed Access Security Incident Management Intelligence Collection Vulnerability Assessment Third Party Information Security Assessments Secure System Development Lifecycle Information Security Risk Assessments and Issue Management 10

11 Digital Security is Our Business Citi invests large amounts annually to help protect client assets. Working with our clients is critical to the integrity of end-to-end security. Focus on Partnering End-to-end, Bringing Together Technology and Best Practices Channel Protection Security goes beyond technology and authentication mechanisms to various processes, including: Maker/checker compliance for transaction authorization Cyber Threat! Data Privacy Ensuring business devices are clean and password-protected Leveraging data for alerts Transaction Monitoring Payment monitoring and behaviorbased blocking tools Client collaboration is central to maintaining high security Digital channels have brought better control, but as we leverage new channels, we need to be at the top of our game and keep ahead of the curve. 11

12 Continuous Innovation to Keep Ahead of the Threat Citi continues to invest in Digital Security with several smart experiments in flight across TTS Innovation Labs. Biometrics Voice Biometrics: Evaluate technologies to enable user access via simple verification of their natural speech Behavioral Biometrics: Deploy passive login tool using client behavior (i.e. typing) that cannot be emulated by external agents Device Security Malware Detection: Enable passive detection tools to identify viruses Information Breach: Advise clients when their private credentials are being publicly distributed by cyber criminals Out of Band Security Out of Band Authentication: Provide One- Time-Password via SMS, Phone Call or device application, using a channel or device separate from the primary banking channel Digital Signature and Transaction Approval: Secure transactions via mobile device separate from desktop banking channel Client Experience Client Credential Re-Use: Enable clients to log-in using their own corporate issued credentials Risk-based Authentication: Enable simpler security for low risk transactions and complex security for higher risk transactions The key challenge is to balance user experience, security, and worldwide availability for Citi clients. The above smart experiments may or may not be rolled out. 12

13 The Power of Our Network CitiDirect BE SM Online Award winning digital corporate banking platform live in 96 markets that processes +$30 trillion annually CitiDirect BE SM Mobile Industry leading mobile platform that processed $113 billion in Mobile Payments from on-the-road ICG clients in 2013 alone! 13

14 Working Together to Secure Digital Transactions Client We are Only as Strong as the Weakest Link 14

15 IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. In any instance where distribution of this communication is subject to the rules of the US Commodity Futures Trading Commission ( CFTC ), this communication constitutes an invitation to consider entering into a derivatives transaction under U.S. CFTC Regulations 1.71 and , where applicable, but is not a binding offer to buy/sell any financial instrument. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction. Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at any time. Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world. Citi believes that sustainability is good business practice. We work closely with our clients, peer financial institutions, NGOs and other partners to finance solutions to climate change, develop industry standards, reduce our own environmental footprint, and engage with stakeholders to advance shared learning and solutions. Highlights of Citi s unique role in promoting sustainability include: (a) releasing in 2007 a Climate Change Position Statement, the first US financial institution to do so; (b) targeting $50 billion over 10 years to address global climate change: includes significant increases in investment and financing of renewable energy, clean technology, and other carbon-emission reduction activities; (c) committing to an absolute reduction in GHG emissions of all Citi owned and leased properties around the world by 10% by 2011; (d) purchasing more than 234,000 MWh of carbon neutral power for our operations over the last three years; (e) establishing in 2008 the Carbon Principles; a framework for banks and their U.S. power clients to evaluate and address carbon risks in the financing of electric power projects; (f) producing equity research related to climate issues that helps to inform investors on risks and opportunities associated with the issue; and (g) engaging with a broad range of stakeholders on the issue of climate change to help advance understanding and solutions. Citi works with its clients in greenhouse gas intensive industries to evaluate emerging risks from climate change and, where appropriate, to mitigate those risks. efficiency, renewable energy and mitigation