An interview with Marco Morana


Citi UK’s Senior Vice President of Cyber-Security speaks to FST Media about how the advent of biometric security will shape the way in which we interact with banks.

FST Media: What is the ‘holy grail’ that is yet to be delivered in financial services? 

Morana: One of the main challenges that financial institutions face today is to be capable to detect data compromises and the occurrence of fraud, as well as responding as quickly as possible to security incidents to limit the impact across the business. Improving capabilities in the gathering and the analysis of threat intelligence sources – including threat and attack modeling – is the “holy grail” of cyber-risk management because it represents the “cure” of the cyber-security crisis we face today: we detect data compromise only weeks after the initial attacks. 

FST Media: What do you think should be the priorities for banks to deal with emerging cyber-threats in the next 12 to 18 months? 

Morana: It is customary in the financial sector to prioritise compliance and governance before cyber-risk measures as investment in measures, including people process and technologies, can effectively reduce the impact of cyber-attacks. The perspective of compliance auditors is to assess gaps in controls for protecting confidentiality, integrity and availability of the data. However, this is no longer enough to mitigate the risk of data breaches. As threats evolve, traditional security controls need to evolve and be engineered as countermeasures. Banks should adopt a cyber-security strategy that fulfills not only its obligations in terms of business and compliance audit, but is also aligned with threat intelligence goals and proactive risk mitigation. On a tactical level, in the next 12 to 18 months it is important to start planning proof of concepts and pilot of technologies that seed to improve detection of malware attacks and account take over fraud. This will also improve banks’ detection of Advanced Persistent Threats (APTs) as they continue to focus on attack simulation exercises to prepare for security incidents.

FST Media: What are the key challenges that banks face in the realm of cyber-security? 

Morana: In the last 20 years, we have witnessed an evolution of the methods and attack techniques used by the cyber threat actors in terms of their tools, tactics and procedures (TTPs). Between 2000 and 2005 there was an escalation of the sophistication of TTPs used by the attackers and therefore the impact of security incidents with volumes of credit card data compromised up to millions of credit cards. Last year, the main threats affecting financial institutions included social engineering, APTs, Distributed Denial of Service (DDoS) attacks, banking malware attacks for account take over, fraud and the exploitation of web and mobile application vulnerabilities. 

In addition to these external threats, financial institutions still face more impact from internal threats such as rogue bank employees specifically for various types of fraud. These threats continue to be prevalent this year and the trends that some security vendors see for 2016 and beyond are threats attacking the increased exposed attack surface. This includes the opportunity to compromise specifically data and services in the cloud, business critical financial transactions such as wires, mobile payments (due to the proliferation of mobile devices that represent opportunities for attacker to exploit) and the increase in sophistication of the attacks. This is both in terms of the tools – such as malware – as well as tactics – such as requesting to pay ransom – which are used to specifically bypass security anti-malware defenses. Other threats of 2015 that we will continue to see this year are social engineering and spear phishing facilitated by the use of social media targeting specific employees working at bank services that have access to critical systems such as payments and trading initiation and approval.

FST Media: How will the advent of biometric security shape the way in which we interact with banks? 

Morana: One of the main goals for adoption of biometrics in financial environments has been usability and convenience for payments without passwords. These goals have been accomplished by leveraging mobile phones fingerprint sensors (including TouchID in IOS) as well as a combination of other sensors (such as touchpad pressure sensors) for behavioral authentication. 

One promising development in biometrics is the use of behavioral biometrics for two-factor authentication, money transfer transactions, as well as for the authorisation and verification of payments. One important aspect that banks should look at before adopting biometrics is the standardisation of authentication factors that include biometrics, such as the Fast Identity Online Alliance’s (FIDO) Unified Authentication Factor. FIDO is shaping how banks will use biometrics factors in the future authentication ecosystem. By leveraging FIDO standards, it will possible for banks to implement secure use cases of biometrics for single sign on and for federated authentication with other banking sector applications.

FST Media: How do you encourage a culture of innovation in your team? 

Morana: As threats evolve, cyber-security teams need to evolve their knowledge to keep the pace with the escalation in sophistication of the attackers tools, techniques and procedures. I encourage my team to attend threat intelligence briefings and identify opportunities for improvements, not just in new types of security technology that need to be experimented with but also new types of risk processes such as threat modelling. 

For cyber-security innovation to happen it is important that the information security team works with start-ups innovating in the various subdomains of cyber-security. One opportunity that we can perceive here is also the interaction between security teams and the various financial technology innovation labs inside and outside the banks, including cyber-security accelerators. It is important above all to change the company culture of security and motivate information security teams to move beyond the minimum security standards and work together with businesses and engineering teams, research and development to design together new countermeasures and apply risk management methods that are more effective in combatting cyber-attacks that compliance with information security standards and regulations. 

FST Media: What new countermeasures must banks take to help improve business continuity and disaster recovery in the face of a cyber breach? 

Morana: In the past, it was enough for a business to deploy generic security measures such as firewalls to protect the perimeter. Today, this is not enough since cyber attacks are targeted and sophisticated and countermeasures need to be engineered ad-hoc to detect and prevent specific types of attacks. The challenge for security practitioners at the banks is that the attackers change their tactics and procedures quickly. Therefore, defenders need to adapt quickly by learning the threats from threat intelligence and apply methods so they can be at the edge of the threat before being attacked. Chief information security officers at banks today worry a lot about the impact that DDoS attacks can cause on the continuity of business. 

It is important to test the preparedness of a bank to DDoS attacks by conducting simulation exercises also in coordination with other banks as this approach has proven to be effective in real attack scenarios. In general, it is better to implement countermeasures that are effective in detecting and preventing cyber-attacks by learning from the root causes of the security incidents. 

A lesson learned in the case of the 2012 DDoS attacks at banks in the US, for example, was that DDoS attacks target both network and application layer and this helped them to work with vendors to engineer new solutions. In the case of a disaster recovery from a data breach, big data analytics, machine learning and automated threat intelligence feeds of indicators of compromise will help banks in the future to respond to security incidents. This will happen in much shorter time frames than we are experiencing today, taking just days or hours instead of months or weeks.

Marco Morana spoke at FST Media’s The Future of Security in Financial Services event in Sydney and Melbourne, in addition to a distinguished panel of executives across financial services on February 23 and 25 last month.

The views put forth in the article herein are the personal views of Marco Morana and do not necessary reflect the views of the employer (Citi). Any facts (such as references to the DDoS attacks) and information being provided in this article is available in the public domain.