Fighting cyber-crime together - Citibank · A study by the Center for Strategic and International Studies (CSIS) ... CitiDirect BE (Citi’s web-based ... As the Microsoft-Citi partnership

Fighting cyber-crime together

The benefits of moving from manual to digital operations are so manifest that such a migration is all-but inevitable. Digital processes allow greater efficiency, faster transactions and increased control. Companies that use digital processes have raced ahead of their less-advanced competitors – forcing laggards to accelerate their implementation of automated processes simply to remain relevant.

Furthermore, digitization requires security changes: enhanced authentication can ensure that money or data is securely and rapidly delivered to the right person, on time. Yet – while it protects banks and corporates from the thieves and attackers they have faced for centuries – digitization exposes a new threat: cyber-crime.

A study by the Center for Strategic and International Studies (CSIS) – sponsored by McAfee – found that cyber-crime costs the global economy around US$445 billion per year. The weakest link in a company’s operation can bring down the entire corporation, and impact their supply chain and bank accounts. An unprotected company is exposed to cyber-threats which have quickly become the world’s most prevalent crime.

Know your enemy Of course banks and corporates are well-accustomed to the threat of fraud and theft – having always been prime targets.

Treasury and Trade Solutions

So, while this is a new type of threat, banks are well aware of the risks and are as determined as ever to remain secure. And the trick to strong security is knowing your enemy.

Most threats are intrusion activity, and attackers can be both outsiders and insiders. That said, the hardest form of attack to detect – though thankfully the rarest – is from an insider. The “insider threat,” generally comes from an individual who has access to security or transaction systems – perhaps redirecting funds or sharing confidential data. They could be a trusted, valued – and therefore undetected – part of a company or bank. However, banks are implementing behavior analysis tools to flag anomalies in the network activity of an employee, when it falls outside the scope of their entitlements or access rights. This enables institutions to stop employees from stealing intellectual property or destroying data since the alerts happen real-time as the employee is engaging in unauthorized activity on the network.

Outside attacks Attacking from outside the company, but no less threatening, are attackers such as “hacktivists.” Hacktivists are primarily motivated by a political agenda rather than monetary gain. Hacktivists rally support via social media platforms and provide their supporters with online tools to attack a particular target, such as banking websites. Some aim to gain press

Cyber-criminals are becoming more sophisticated and more determined by the day. Ensuring tight and efficient security is therefore imperative. Three Citi executives – Sabine McIntosh, Global Head of Account Services and Channel Digital Security, Treasury and Trade Solutions (TTS); Rajesh Shenoy, Director, Global Product Manager Digital Security, TTS; and Elizabeth Petrie, Director of Strategic Intelligence Analysis, Information Protection Directorate – discuss what banks and corporates can do to protect their systems.

attention – meaning that a targeted company or bank is not only vulnerable to monetary loss, but also perhaps to a public relations embarrassment as well as a loss of confidence from their clients.

Then there are cyber terrorists – some of which compromise systems specifically to launder money. That said, perhaps the most sinister threat of all is the “state affiliated threat” – usually (but not always) from a hostile nation seeking to potentially undermine a rival country’s digital integrity. Having gained entry into a system, these attackers can lie dormant and invisible for many years – perhaps tracking information – before disabling systems seemingly out of the blue.

In addition to targeting technology systems directly, these outside threats – such as “hacktivists” and traditional “cyber criminals” – use security-related social engineering to target victims. This means using techniques, such as “phishing” emails to manipulate a victim into downloading malware that can capture sensitive information.

A cyber-security fort Understanding the threat is the first step to neutralizing it. So how should corporates protect themselves? By developing a robust cyber-security system and set of processes, corporations can spot and counter the ever-changing threats to their online integrity.

While some technology aspects can be complex, much of the system mostly involves common-sense. For instance, perhaps the most critical need is to protect the company from the “insider threat”. Yet this is also one of the most logical to deal with. Both companies and banks must be aware of everyone with access to a banking system and other monetary transactions. Personnel changes must immediately trigger corresponding changes in access. Additionally, insisting on multiple levels of approval (with multiple parties) for every transaction can reduce the threat of a rogue employee corrupting systems. CitiDirect BE (Citi’s web-based banking platform), for instance, supports up to nine approval levels before releasing any payment. Having a diverse set of people and systems involved in a high value transaction increases control and reduces the likelihood of fraud.

Transactions themselves also need to be watched. Creating and analyzing full reports on all transactions is a must, and the ability to spot anomalies and suspicious activity is invaluable.

Common sense can also be a powerful tool against security-related social engineering. Anyone contacting you claiming to be from a bank and asking for passwords and private information is a potential fraudster. Accepting email invitations and clicking on shortened URLs is unwise, and giving out sensitive information to anyone unknown, and sometimes even those who are known, can be dangerous.

Certainly, companies must train employees on what to do when called by someone claiming to be a bank representative

requesting sensitive information. And as the threats develop, it is important to provide annual training to refresh everyone’s knowledge on the top trends.

IT Discipline While cyber threats are indeed intimidating, in reality most of cyber security comes down to discipline and vigilance by IT and end-users – the negligence of which is, frankly, reckless.

Using anti-virus software and regularly updating browsers and systems are simple, preventative measures. And this extends to any personal devices that employees could use to access company platforms or execute transactions. Using an unprotected device to access business platforms, even just once, is essentially inviting a cyber-criminal through an open door – so discipline, in this sense, means taking an extended interest in the gadgets that log-in to your network, ensuring they are as up to date with the latest virus/malware protection as any office PC or laptop.

Citi’s three pillars of defense As well as being proactive in dealing with cyber-crime threats, there is also a need to be reactive. Acting quickly against cyber-crime is essential. One way Citi does this is through the use of the “cyber kill chain” methodology. The methodology enables Citi to tag information that it collects so that it can identify an attack in the earliest stages – when an attacker is trying to discover a vulnerable spot in a particular system. By identifying and countering an attack early, Citi is able to not only identify the threat before it fully develops, but also to use the information it gains to spot future threats.

Of course, with threats coming from so many angles, a security system requires a multi-layered response to counter both the internal and external threats simultaneously. As such, and over many years, Citi has developed a three-pillared approach to digital security. This is a holistic solution that focuses on what the attacker is targeting, as well as details what processes and technology shields can be adopted.

Channel protection, the first of the three pillars, blocks an attacker’s entry to a platform – such as Citi’s CitiDirect BE or CitiConnect channels. Partly, this can be controlled through insisting on strong log-in credentials for authentication. Citi, for instance, often uses “challenge” and/or “response” tokens, as well as digital certificates. Secondly, all data exchanged with clients must also be protected with robust encryption tools in case attackers try to read information while it is being transferred from their system to Citi. Finally, and perhaps most importantly, any abnormal log-in behavior or activity must be detected, investigated immediately and minimized.

Of course many attackers are more focused on the transactions themselves. As such, the second pillar encourages both companies and banks to be vigilant about payment outliers. Any outliers, often detected through behavior-based blocking capabilities, must require a diligent

2

3

review of communication and transaction data. Citi’s Payment Risk Manager helps identify outliers, for instance, while CitiDirect BE reports can be reviewed for alerts for certain events.

Thirdly, attackers often focus on higher value, and usually confidential, data. Data privacy is therefore the final Citi

pillar – utilizing its data privacy policy and data governance function. A strong focus on entitlements insures that only the correct person is allowed to view information, this is periodically reviewed and updated. Maintaining multiple layers for security is key – backing up all data at different sites, while using a variety of systems in order to protect data and ensure it is both accurate and reliable.

Innovation SpotlightCiti therefore has a robust response when attacked. Yet cyber-crime is constantly evolving as current attacks become known and dealt with. As such, Citi is proactively working with industry leaders on innovative approaches to reduce the threat of cyber-attacks. We are focused on improving both security and the client experience.

One example illustrates the point. The explosion of single-purpose credentials per application, such as security tokens, has benefits and risks. These single-purpose credentials require end-user vigilance to prevent against loss and may create user frustration when interacting with multiple banks.

Citi as a banking leader developed a proof of concept with Microsoft Treasury utilizing Microsoft Azure-based

next generation identity technology. Microsoft already issues very secure identities to its employees with digital certificates. Leveraging those smart IDs, Citi and Microsoft tested access to Microsoft’s bank accounts via CitiDirect BE as a way to both enhance security and the user experience.

A spokesperson at Microsoft describes how the treasury team was often either worried about the threat of cyber-attack, or inconvenienced by the need to carry around bags of security tokens for every bank – both distractions from core operations. The need to conduct business easily without concerns about work being stolen is an imperative. Citi and Microsoft’s joint research and development activity shows promise for a future system that increases security and usability.

Transaction Monitoring

Channel Protection

Data PrivacyCyberThreat!

Figure 1: Digital Security is Citi’s Business

• Security goes beyond technology and authentication mechanisms to various processes, including:

– Maker/checker compliance for transaction authorization

– Ensuring business devices are clean and password-protected

– Leveraging data for alerts

– Payment monitoring and behavior-based blocking tools

• Client collaboration is central to maintaining high security

Citi invests large amounts annually to help protect client assets. Working with our clients is critical to the integrity of end-to-end security.

Focus on Partnering End-to-end, Bringing Together Technology and Best Practices

Fig 1. Digital channels have brought better control, but as we leverage new channels, we need to be at the top of our game and keep ahead of the curve.

4

Strength in numbers So security is about more than simply protection. It allows companies the freedom to operate without fear. And while sophisticated security systems and due diligence will help protect against cyber-crime, there is one key weapon that will keep defenses as strong as possible: collaboration.

As the Microsoft-Citi partnership illustrates, cyber security is easier when banks and corporates work together to protect the end to end security of bank-corporate interactions. Sharing knowledge of anomalies or updates, or even of attackers’ activities, makes every party stronger. What’s more, conversations between parties enable a bank to ensure that solutions created for a particular corporate can be adapted to the specific threats faced. It enables solutions to be produced more quickly, and with fewer flaws.

And collaboration is a trend very much underway. In fact, information sharing is probably more advanced in the digital security space than any other sector. Real-time,

highly-detailed, analysis enables banks and companies to detect patterns and stay (at least) one step ahead of attackers.

What’s more, this collaboration is taking place on an international level – attacking a global threat through combining the capabilities of companies and banks across the world. The Information Sharing and Analysis Centers (ISACs), for instance, share information not only internationally, but also across sectors. It understands that attackers are not necessarily that picky, and an attacker targeting one company in a certain sector can easily pivot to focus on another company or sector entirely.

Cyber-crime is a very real – and a potentially very debilitating – threat. Alone, companies are vulnerable. Yet by working together, both banks and companies can help defeat today’s cyber-crime – and be ready and able to defeat them again tomorrow.

Please Note: This article was originally published in gtnews.

Figure 2: The Power of Our Network

CitiDirect BESM Online

Award winning digital corporate banking platform live in 96 markets that processes +$30 trillion annually

CitiDirect BESM Mobile

Industry leading mobile platform that processed $113 billion in Mobile Payments from on-the-road ICG clients in 2013 alone!

▼▼

Treasury and Trade Solutionstransactionservices.citi.com

© 2014 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design is a service mark of Citigroup Inc., used and registered throughout the world. The information and materials contained in these pages, and the terms, conditions, and descriptions that appear, are subject to change. Not all products and services are available in all geographic areas. Your eligibility for particular products and services is subject to final determination by Citi and/or its affiliates. Any unauthorised use, duplication or disclosure is prohibited by law and may result in prosecution. Citibank, N.A. is incorporated with limited liability under the National Bank Act of the U.S.A. and has its head office at 399 Park Avenue, New York, NY 10043, U.S.A. Citibank, N.A. London branch is registered in the UK at Citigroup Centre, Canada Square, Canary Wharf, London E14 5LB, under No. BR001018, and is authorised and regulated by the Office of the Comptroller of the Currency (USA) and authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.. VAT No. GB 429 6256 29. Ultimately owned by Citi Inc., New York, U.S.A.

GRA25781 12/14

Sabine McIntoshDirectorGlobal Head of Digital Security and Account Services TTS, Citi

Elizabeth M. PetrieDirectorOffice of the Chief of Information Security

Rajesh Shenoy DirectorDirector and Global Product Manager for Digital Security TTS, Citi

Sabine McIntosh has been the Global Head of Account Services and Channel Digital Security, within Treasury and Trade Solutions (TTS) since October 2013. Sabine is responsible for the development and execution of Citi’s Strategy for the Operating Account, and the Digital Security of TTS Electronic channels. Sabine has been with Citi for 14 years.

Previously, Sabine was responsible for leading the Client Onboarding transformation initiative for Europe, Middle East and Africa, including the launch and adoption of the electronic Bank Account Management platform in the region. Prior to this role, Sabine was regional Product Manager for Citi’s payment channels, including the award winning electronic banking platform Citidirect®. Sabine joined Citi Technology organization in 2000 as a Senior Program Manager responsible for a number of regional transformation initiatives. Prior to Citi, Sabine has held various sales management roles. Sabine is a graduate of the University Paris Dauphine.

Elizabeth M. Petrie is Director of Strategic Intelligence in the Office of the Chief of Information Security (OCIS). She reports to Citi’s Chief Information Security Officer T.J. Harrington, who leads the firm’s Global Information Security, Anti-Money Laundering Operations and Office of Emergency Management, applying an information-led, threat-focused approach to protect Citi from cyber-attackers, among other adversaries.

Beth manages the Strategic Intelligence Analysis Group, which produces actionable intelligence assessments on the cyber threat to inform decisions made by executives on information security practices. Organizations around the world are realizing that advanced intelligence capabilities can consistently deliver new levels of safety with proactive insights on true threats. Beth’s team transforms information into knowledge and leverages a strong network of professionals to create intelligence products that keep Citi ahead in understanding the cyber threat landscape. She joined Citi in January of 2014 with more than 15 years of experience as an intelligence analyst.

As head of Cyber Intelligence for the Federal Bureau of Investigation, Beth managed multiple intelligence units, oversaw production of actionable intelligence for senior policymakers, and led development of a threat prioritization methodology. Her career at the FBI also included authoring intelligence assessments on white collar trends impacting global financial institutions and working as a tactical analyst supporting espionage cases. Beth started her career as an intelligence research specialist with the Department of Justice’s Criminal Division, writing implementation plans for Presidential Initiatives.

Beth has a master’s degree in Technology Management from Georgetown University, a master’s degree in Criminal Justice from George Washington University and a bachelor’s degree in Psychology from Saint Mary’s College, Notre Dame. Beth and her husband Chris are owners of a small business and live in Maryland with their two daughters, Kaitlyn and Madeline.

In this role he is responsible for the identity solutions product for Citi’s institutional clients and providing digital security capabilities for Citi’s corporate banking channels. Prior to this, Mr. Shenoy was the global channel manager for the industry leading TTS online banking portal CitiDirect BE as well as client facing analytics solutions. Since joining Citi in 1998, Mr. Shenoy has served the organization in a variety of capacities – with leadership roles in product, client advisory, operations, and technology functions while working at Citi branches in the United States, United Kingdom, Canada, Russia, China, Singapore, Venezuela, and Ireland. Mr. Shenoy holds an MBA in Finance from the Wharton School at the University of Pennsylvania and graduated with a Bachelor of Science degree in Computer Systems Engineering from Stanford University.