Hi all - This is the 36th edition of Frontier Fintech. A big thanks to my regular readers and subscribers. To those who are yet to subscribe, hit the subscribe button below and share with your colleagues and friends. 🚀
“In Order to succeed, you must first survive” - Warren Buffett
“Not everything that happens happens for a reason, but everything that survives survives for a reason” - Nassim Taleb
Introduction
The digitisation of business continues unabated, driven both by the post covid awakening towards the importance of technology as well as a seismic shift in value creation mechanisms with API’s at the vanguard. In my view the latter is the more fundamental and recently has been shaping my thinking across a number of domains such as commerce, investing, societal design and personal life planning. In the future, every business will be technology enabled where technology and tech thinking moves up the food chain; from a support function to a critical business function.
In finance and banking, the term “Fintech” has been coined to represent the intersection of financial service provision and the infusion of tech thinking into it. Companies like Monzo, Starling, Nubank, Alipay, Kuda Bank and Chipper Cash are financial services companies but with the core distinction that technology is the cornerstone of their strategy and commercial thinking. Other industries such as food delivery, hotel bookings, car hailing have been digitised as well, probably because service industries lend themselves to digitisation easily as opposed to clunky, traditional goods.
Modern fintechs and banks are built on more open principles and with a distributed architecture. The segmentation occurs where in the past, the decision was to acquire a specific system, say a core banking system, secure it and maintain it. Nowadays, open and distributed architecture principles have created a wider surface area of attack. Modern banking architecture is segmented into different layers such as systems of record, systems of engagement and systems of insight. All these additional layers are built to improve the customer value proposition and are critical to service delivery however, they increase the complexity of securing your systems.
Banks and any other financial service provider runs on trust. Customers must trust that their funds will be safe and available as and when needed. For a very long time, banks have built their value propositions around this concept of safety and stability often through physical symbols such as large buildings. In the new digital age, this framework is falling apart given that transactions and customer engagement are moving into the digital realm.
If technology is moving up the decision making value chain, a concept behind the growth of Stripe, and technology is also becoming the core value creation strategy, it lends itself to reason that securing this technology and making it resilient to attacks should become more and more critical in the day to day running of business. For a very long time, Chief Information Security Officers have been relegated to second tier citizens within the executive or management committees. Decisions around security tend to be reactive and not proactive whilst occupying tertiary roles in both the conceptualisation and execution of product development. At the same time, fintechs and banks still need to ship product quickly to remain competitive.
I decided to pick the brains of one of the smartest people in Cybersecurity and a high school friend of mine Dr. Bright Gameli Mawudor. Bright always used to spend his time tinkering with computers whilst in high school and his passion for cybersecurity is real. He has gone on to become a domain expert in infosec and cybersecurity. Bright obtained his PhD in IT Convergence and Application Engineering from Pukyong National University in South Korea. He is the founder of Africahackon, a Cybersecurity collective that works to bring together the brightest minds in cybersec within the region through conferences and live demos. Through Africahackon, Bright has given over 140 talks across the world on Cybersec cementing his place as one of the most important voices in Cybersecurity in the continent. Some of his accolades include being named as one of the Top 40 under 40 in Kenya by the Business Daily newspaper. He was also recognised by Tribe of Hackers: Blue Team 2020. Currently, Bright heads the managed security services practice at Dimension Data.
For starters, this is a good video where Bright takes viewers through different elements of cyber-preparedness;
Q&A with Dr. Bright Gameli Mawudor
Samora: First, please give a general overview of the philosophical and practical approach - the mindset that leaders and operators need to have around cyber-security - What is the big mindset gap that you see?
Bright: A lot of people are focused on compliance which is ticking boxes everyday to satisfy regulatory standards but forget there are other risks involved. A lot of leaders are also not aware of what is going on in the Cyber Security space and focus only on their businesses to be successful.
Samora: The security function in either banks or Fintechs is largely overlooked in many cases. In your view, what's the role of a CISO or CSO, who should they report to and how should they interface with the different teams - business, technology, and general executive teams? Where are the gaps?
Bright: CISOs are meant to have a holistic view of the entire organization's Cyber Security. They are responsible for the protection of the assets, people, infrastructure as well as all technologies involved. They ideally should report to the CIO but should be able to present to the Board every so often as regards to what they are doing to protect the organization.
The gap that usually arises is when the CISO does not work closely with the Head of Risk or CIO to present the right message to the Executive Management or Board. In turn, the CISO and his department gets to be looked at as a cost centre and not much of a value driver.
Samora: You've written extensively about API security - what are the overall areas that people should be worried about and what practical steps can be taken to ensure that you have a well-functioning and secure API ecosystem.
Bright: The API ecosystem is one of the most attacked in the financial services and will be for a very long time. For the fact that they will be connected to third parties with interdependencies calls for a very tight security on all fronts.
Organizations such as Datatheorem, Pingidentity and Wallarm provide cloud native API Security systems. However, organizations need to take the following into consideration:
Continuous Monitoring of all API Points with stop gaps;
Log all relevant application data and traffic and monitor with any Security Incident and Event Management (SIEM) tool with appropriate use cases developed to keep watch for anomalies such as large unusual requests from one source with frequently various origins . E.G Exabeam & Securonix (SIEM/XDR/SOAR)
Traffic Encryption on transit and Perimeter Security – No data should be transmitted in plain text. Your application communication should cipher all data exchange using the latest TLS (Transport Layer Security) versions to block the usage of the weakest cipher suites. This should preferably be done in a 2 way, simply known as Mutual encryption;
Software Encoding Algorithms and Obfuscation;
Authentication and Data Validation – Your application should always know what system is calling your API at all times in asymmetric validation and should validate all input that is coming to the server. This can be seen in the parameters that are being sent across from the originator to the server;
Shadow API – “Shadow APIs are a category of backend APIs often hidden from the views of traditional security tools and API gateways. These undiscovered APIs often run on ephemeral infrastructure in the public cloud”
With the increase of cloud adoption and deployment made easy with resource allocation, developers often avoid the APIs being created and not visible to most security tools. One great system that gives that visibility beyond the usual is Datatheorem.
Shadow APIs are readily being exploited lately on a large scale increasing attacks beyond the normal anticipated level of attacks.
Samora: On the same, you've spoken about DevSecOps where security is tightly embedded into the Devops process - please take me through DevSecOps from a practical experience - can you give me a practical example of the Security aspect in a typical devops process - how does this look like?
Bright: There is always a blind battle between software developing teams and Cyber Security teams when executing application development projects. Security needs to be involved in the software development process and influence from the security team at the beginning allows for various anticipated vulnerabilities to be identified and eliminated before the development cycle begins. This also assists with the codebase as well as infrastructure to be secure from onset and delivery of applications to be on time with efficiency as well whilst reducing overall risks.
With the above, only close monitoring will be needed and improvement overtime to keep applications secure. Security in the devops will be paying attention to issues such as Infrastructure, Authentication, Monitoring, Validation, Data Throttling and Quotas. API Management and Firewalling.
All the above has to be led by a security team guiding the devops team when designing the application flow for later testing against international standards such as OWASP (Open Web Application Security Framework).
Samora: I've been in leadership and often the focus is on the top-line in terms of revenues and launching customer facing propositions. You're right in that security is often an afterthought - how should organizations in practice make security part of their day to day thinking and approach
Bright: Senior manager more so often only wants to be involved in Security matters when:
Security Breach Has Occurred;
Reputational Damage Is on The Line;
Financial Lost Has Been Triggered;
Total Lockdown of Systems and Network;
There needs to be a close relationship between the management and Security leads(CISO or Head of Risk). The disconnect is when the CISO or Head of Risk do not communicate risks in business sense thus always making them come out as a cost center instead of problem solvers.
A practical example is to explain the basis of a Risk Analysis;
Your Risk Profile;
How susceptible is your company to risks, and what are those risks?
Your Risk Appetite;
What level of risk is acceptable, and how much are you willing to invest to mitigate it to that point?
Your compliance obligations;
What industry regulations do you need to put in place?
All the above requires a CISO to show the vulnerability reports indicating the level of attacks, what anomalies stood out and how they have been dealt with.
Below are some of the questions CEOs should be asking:
What are our Key information Assets?
Do any of our supply chain partners put us at risk?
What processes do we have in place to deal with Cyber Threats?
How do we move from reactive to proactive Cyber Attacks
How do we put the Cyber threats we face into business context
How do we demonstrate the return on investment of our Cyber Security measures
What does an overall Cyber Strategy look like for the business.
Are the right people empowered to respond to Cyber threats and has it been tested?
What is the role of the Board in Cyber Resilience of the business
Research done by securityintelligence.com states that “More than half (55%) of security and technology executives tell PwC that they intended to increase their security budgets in 2021.
However, the same percentage of respondents say their employers’ digital security spending didn’t match the most important risks. The same proportion of executives doubted their digital security budgets could provide the best return on investment or handle an attack”
A lot of awareness communicating what Security risks are and how they will affect business has to be done very regularly with insights on the trending topics that will affect their industry but better yet with solution focus.
Samora: In Africa, we have in many instances architectures that are a mix of on-prem and cloud environments. What are the main risks you have seen in practice from such hybrid architectures and what are the things organizations can do to improve security;
Bright: The benefits of cloud environments surpass on-prem in many instances from management, scalability all the way to security implementation. The major security challenge comes in when on-prem security doesn’t get to the level of attention and details that it needs. This comes to having the right configuration, access control and protection mechanisms. Cloud instances also have a lot of compliance mechanisms already inbuilt that reduces the amount of due diligence an engineer has to put in place.
Samora: In your view is a cloud migration more beneficial given that it reduces the security risks – arguably cyber security expertise is hard to come by and expensive, is this a consideration for moving to cloud?
Even with total migration to the cloud, skillset is usually a problem when it comes to administration. This however is easier to manage and control than on-prem which requires almost 4x the manpower, resources and skills to manage. The risk exposure is also higher as there are too many unknowns that come into play.
Samora: Please speak more on cyber-resilience viz cybersecurity and why people need to focus on this and actually what it means.
We have been focusing a lot on Cyber security which involves Protection, Detection and Response to security. Resilience on the other hand has two more elements which are Identification and Recovery. Being able to identify security incidents that will occur before they happen and the best placed methodology to recover sets the difference of how a business will be running or not.
Samora: How is this practically done?
Cyber Resilience in this day and age can be achieved by the framework “ZeroTrust” which is the latest trend in the Security community. Forrester Definition – “Zero Trust is not one product or platform; it's a security framework built around the concept of “never trust, always verify” and “assuming breach.” Attempting to buy Zero Trust as a product sets organizations up for failure. ... Vendors enable Zero Trust; they are not Zero Trust itself”
The misconception is that there is one vendor that can fix and identify all loopholes and have solutions for them which is not true. It is a journey and not a sprint that needs careful scoping for implementation and does not require one to rip out all security controls they have to start afresh.
Being able to identify possible security vulnerabilities and possibly testing them in order to know how to fix them will ultimately achieve resilience.
Having all the above needs to be sealed with continuous monitoring, threat intelligence, automation for early detection, triage, investigation, orchestration, and remediation. Some of the systems that achieve this well can be seen in Exabeam, Securonix, Paloalto, XDR/XSOAR and Microsoft ATP integrating with an entire company’s enterprise-wide infrastructure Fabric.
Samora: Digital wallets and security - how can customers better manage their digital wallets - and what should organizations do to increase the security of digital wallets - what are some of the interesting things you’ve seen in this space?
A lot of digital wallets have been focused on usability and functionality. Security has to be put into every aspect and assume all possible means to breach the system. Special attention has to be put into supply chain attacks which is the connection between the digital wallets and other third parties that will process activities on their behalf. API security has been the most concerned area that I have witnessed in the past. E.g., A loan application API compromised allows one to process more than they requested for and to a different number. This is difficult to trace as well due to the fact that the new phone number does not even exist on the wallet system.
Architectural design is the last base to couple with API security as that sets the base of all communication for Supply chain attacks.
Samora: Is the nature of threats evolving and which areas are becoming more high risk when you consider cyber-security? Previously, network security was considered the most important and if your network was secure then you could rest easy - how has this changed?
Bright: The nature of attacks has drastically changed over the past few years. Hackers are looking for new ways to compromise systems and applications but most importantly go for the easy ones. There are also too many open-source tools that allow for this thus hunting down targets and identifying the avenues to exploit is becoming too easy. The generation also responsible for these are of a younger age and the resources to learn how exploitation of systems work is readily available on open channel rooms as well as YouTube and Google.
Samora: Will technologies such as IoT and 5G increase the surface area of attack and are there any discussions in industry to minimize or prevent these attacks?
Bright: Adversaries depend a lot on speed of connectivity of which IoT and 5G are main contributors. The faster the access to scan for devices and send attacks the better it is for a hacker. With the fact that not much focus is placed on IoT and its threat attack surface, the increase is coming, and it is a matter of time before it blows up. For instance, IoT devices being available online are now being weaponized to perform ddos (distributed denial of service) attacks against networks which means the adversary doesn’t not have to spend too much time on compromising servers as an avenue but use the easily accessible IoT devices.
The End
Follow Bright on Twitter and Linkedin
As always thanks for reading and drop the comments below and let’s drive this conversation.
If you want a more detailed conversation on the above, kindly get in touch on samora.kariuki@frontierfintech.io or samora.kariuki@gmail.com