Global security

World Bank CISO Jim Nelms tells FST about how the organizations are battling the next generation of IT threats.

Today’s market has seen security risks advancing and becoming more and more complicated. There is no doubt about it; banks simply have to deliver new products and services to beat these threats. At World Bank, combating key security risks have proven to be an integral part of the organisation’s DNA, Nelms explains: “the first primary security risk that we’re facing at World Bank is user related, and it has to do with phishing or spear phishing of user credentials.” As phishing has become more and more widespread, the techniques and sophistication of these attacks has become more and more focused as well, with locating entry points to the World Bank networks becoming a prime target for e-criminals. “To combat this at the bank, we have gone to a full two-factor authentication model using a token-based authentication process, and in the very near future we'll be linking that to a persistent credential using a certificate with key pairs both for signing and for encryption.”

This is not the only way that the bank is tackling these problems. “We have also found a huge increase in the number of attacks through the weaknesses in the web interfaces,” adds Nelms. “This particular adversary looks to create entry points into the network on externally facing websites, and then one of two things happen. They either use those entry points to resell, or to place you on the underground for access to the system, or they use it for exfiltrating corporate information. Whereas five years ago, somebody who would have exploited a website generally might have defaced it, or they may have taken a system down. The adversary today seems to want to keep the system up,” says Nelms. “They're very quiet, they don't disrupt things, but they do collect and harvest information, encapsulate it, and then try to exfiltrate it outside of the institution.”

Alignment

The fear of systems hackers harvesting information obviously poses some serious issues for the banking sector, and as Nelms highlights, at World Bank they have taken a different approach to externally facing websites, choosing to go to a registration and accreditation process before significantly reducing the external points used using a common framework. “The techniques that we're using there is separating three components that make up an externally facing website: The coding itself, the database behind it, and then the web server. So what we have done is move them into much more discreet segments, so the network behind the bank has become much more granular.” Subsequently, in the event of a breach, even after it is certified with regular scanning procedures, the extent of the anomaly would be much smaller than it would normally be.

World Bank has of course been notably aligning its entire IT infrastructure over the last few years. “We are aligning the IT services and security with the business sides themselves, focusing both from a business continuity and a security perspective. We do this through a layered approach, strengthening the areas of the business and organising them in a much more granular fashion; the internet may be the most popular choice in which to do business, but it has also become an increasingly unsafe way to do business. We're utilizing different technologies such as encrypted MPLS and point-to-point frame lead-ins for very critical services, and then using a much more granular approach at the externally facing systems.”

As Nelms points out, the Internet plays a huge role in today’s market. Because of this, he is certain that there are specific challenges raised in terms of operations. Nonetheless, he also thinks the cure to these problems is much the same. Many of the projects, the things World Bank does for monies or resources and financial instruments that the it either manages or holds on behalf of other countries or other businesses have a huge risk potential if they were to be compromised from an external source. “With the continued rise in weaknesses in web interfaces, we have established a part of the office of information security where we have increased the technical capabilities and the focus of one segment of that team to do nothing but stay in front of the curve in terms of website security,” says Nelms. “Because it is a primary point of business, and because in many of the countries in which we do business internet access is the most reliable form, we have focused on a very segmented type of services that we offer and focusing on those areas requires the highest degree of monitoring and security.

Ahead of the curve

Though it operates in a very particular way, there is certainly a thing or two other financial institutions could learn from World Bank’s approach to information security. The granular approach that Nelms talks about is surely offering some key ideas to the market. “What I would recommend for the financial institutions who are looking to do this is to take a very close look at the technical underpinning of how they provide web services,” says Nelms. “Most institutions have a central point where data is accessed, where websites are accessed, and I think we're finding that that's going to create the much larger exposure than if you use a smaller, discreet approach.” As Nelms highlights, if you have three business lines, not putting these in the same interface, even though it may appear that was a good way of handling it from an information technology standpoint, from a security and reliability standpoint it’s not. “You may compromise more than one of your business lines at the same time,” says Nelms “I’d recommend independent business lines to the outside world.”

With this, however, Nelms predicts that the total cost of ownership will go up correspondingly. “Unfortunately, you lose some of the economies of scale by not being able to use huge web servers or huge databases or collective information on the internet, and unfortunately, that is once again not a choice we get to make,” he explains. And While information security may be reducing the risk to a tolerable level, its not eliminating it. “What we're finding with a more sophisticated and persistent adversary is the probability of compromise has gone up significantly in just the last two years alone. Now the only choice an institution has to make is whether they will spend their time and money in remediation, or they will spend it in a preventative measure to reduce the impact of when a breach occurs,” says Nelms. “Over the last couple of years, looking at a number of companies that have had breaches, they may not even be in a position to detect thse breaches for weeks or months after they have occurred, so I think from a financial perspective, we have to respond to that business environment very quickly and realize that that has become an intolerable risk for financial institutions.”

Security threats certainly aren’t going to go away either. And preventing future attacks is clearly something that is crucial to the work Nelms does at World Bank. “The biggest security threat, the most visible, is probably going to be identity theft. That's going to continue to rise. The most detrimental to businesses is going to be the compromise of websites through technological weaknesses, through SQL injection or through cross-side scripting or other weaknesses in the software that we're using to develop applications and the exfiltration of information will be the most devastating to a company.

“The practice of information security, and the convergence of that, is becoming much grayer in these areas because of the number of ways, and the complexities of the systems that are required to do something as simple as price a derivative, or follow a yield curve. Ultimately, firms will have to look at the technology that underpins their businesses with the same views as they do their standard operational risk measures.”