RBI guidelines for banks to combat escalating cyber attacks

To meet the growing needs of customers, banks are increasingly adopting Information Technology (IT) solutions, to carry out daily operations. Thus making them attractive targets for escalating cyber attacks. To ensure that Indian banks function in a cyber-resilient environment, the Reserve Bank of India (RBI) issues regular guidelines. Hence, in one of its recent circulars, in addition to distinguishing cybersecurity from information security, the RBI advises banks to establish mechanisms for:

  • Continuous surveillance to protect personal data
  • A focused approach towards cybersecurity
  • Board/ Top Management to be aware of the bank’s threat quotient
  • Board/ Top Management to proactively monitor, share, and mitigate threats

 

The RBI guidelines advocate the following measures to help banks improve their overall security posture:

1. Provision for continuous surveillance

Cyber attacks are not preceded by warnings or timelines.  Hence, the RBI recommends that banks set up continuous surveillance to stay abreast of emerging cyber threats.

XVigil helps you anticipate and mitigate threats

XVigil, CloudSEK’s digital risk monitoring platform, offers continuous monitoring across the surface and the dark web. Specifically focusing on: mentions of the bank, its brand, and its infrastructure.

 

2. Ensure protection of customer data

Financial institutions depend on technology to function smoothly. It also helps them deliver cutting-edge digital products to address their customers’ needs. However, in the process, banks collect customers’ personal and sensitive information.

Banks should take appropriate steps to ensure uncompromised confidentiality, integrity, and availability of this data. Moreover, as custodians of such information, it is incumbent on banks to preserve data, in transit and in storage, within their environment or that of third party vendors. To this end, banks should establish suitable systems and processes, across the data/ information lifecycle.

XVigil detects data leaks

XVigil proactively monitors the web for data leaks. Subsequently, it alerts banks to leaks involving their customers’ information, credit card details, or debit card details. The platform also reports 3rd party data leaks that could affect banks and their customers.

 

3. Report cybersecurity incidents to RBI

Banks also need to notify the RBI of all unusual cybersecurity activities and incidents, irrespective of the success or failure of the attempts.

XVigil generates reports to notify the RBI

XVigil prepares reports, listing major incidents that may be submitted to the RBI, adhering to compliance standards.

 

4. Manage inventory of IT assets

Banks need to maintain an up-to-date inventory of assets including their infrastructure and business applications.

XVigil scans your assets every day

XVigil performs daily asset scans, to track all internet-facing assets, including domains, sub-domains, IPs, WebApps, etc.

 

5. Prevent execution of unauthorized software

Banks should maintain an updated, and preferably centralized, inventory of authorized/ unauthorized software.

XVigil monitors for Shadow IT threats 

XVigil runs infrastructure scans every day and alerts banks to any threats. As a result, it keeps Shadow IT threats in check.

 

6. Secure configuration

Banks must document and apply baseline security requirements/ configurations to all categories of devices.

XVigil detects misconfigured assets

XVigil detects and reports misconfiguration of internet-facing assets, in addition to the Open Web Application Security Project (OWASP) top 10 vulnerabilities.

 

7. Vendor risk management

Banks are accountable for appropriate management of security risks pertaining to outsourced and partner arrangements.

XVigil detects third-party leaks 

XVigil monitors and reports on any third-party sources that leak sensitive information, thus fulfilling the RBI’s requirement to manage vendor risk.

 

8. Advanced real-time threat defence and management

The RBI advocates for banks to:

  • Build a robust defence system against the installation, spread, and execution of malicious code, at multiple points in the enterprise
  • Consider whitelisting of internet websites/ systems
  • Consider implementing secure web gateways with capabilities to deep scan network packets. Hence securing (HTTPS, etc.) traffic passing through the web/ internet gateway.
XVigil provides real-time alerts 

XVigil monitors and provides real-time alerts, on threats that impact banks’ brand or infrastructure, from various sources across the surface web and the dark web. In addition, the platform scans open ports, misconfigured SSLs, leaky S3 buckets, and  XSS vulnerabilities.

 

9. Anti-Phishing

Banks have been advised to subscribe to anti-phishing/ anti-rogue apps or services from external service providers. Since, this will help them identify and take down phishing websites/ rogue applications.

XVigil detects and initiates takedowns

XVigil detects phishing/ rogue apps, fake domains, and fake social media accounts. CloudSEK also offers takedown of such phishing websites/rouge applications.

 

10. Data leak prevention strategy

Banks should develop a comprehensive data loss/ leakage prevention strategy to safeguard sensitive, proprietary, and confidential business and customer data.

XVigil monitors data leaks

XVigil scans for data leaks, including third-party leaks, and additionally gives banks timely and actionable threat intelligence.

 

11. Vulnerability Assessment, Penetration Test, and Red Team Exercises

Banks should conduct periodic vulnerability assessment and pen-testing exercises on all the critical systems, particularly the internet-facing ones.

XVigil runs periodic tests

XVigil runs basic level vulnerability assessments, as well as pen-testing exercises, every day. And subsequently alerts banks to open ports, misconfigured SSLs, leaky S3 buckets, and  XSS vulnerabilities.

 

12. Forensics

Banks must make arrangements for forensic investigation unless they have support.

CloudSEK offers forensic services and support

CloudSEK offers forensic services, together with unlimited support.

 

13. External Integration

While delivering services to customers, several stakeholders are involved directly or otherwise. Their experience is indispensable. Besides, their integration with multiple tools would give organizations a view of the entire security landscape. Thus, encouraging better decision making.

XVigil can be integrated with ease

XVigil can be easily integrated with multiple SIEMS, SOAR and other platforms. Thus giving banks a single view of their entire security landscape.

 

Fake Image - CloudSEK

Menace of Fake Banking Services

We have all received calls from fake bank representatives, offering us complimentary credit card upgrades, free Insurance, and assistance to complete KYC (Know your customer) formalities. And to provide these services, they would have requested us for credit card or debit card details.

However, in the last few years, the general public has smartened up to this scam. And most of us don’t indulge these calls anymore. And in response to this, scammers have repackaged their scams, that are delivered to us, via other channels. The new schemes are so convincing that we reach out to them.

Let’s explore these sophisticated approaches and the various resources that allow scammers to continue defrauding us.

What makes us vulnerable?

Most people unequivocally rely on Google search for everything ranging from bank locations to restaurant reviews. So, it is only natural that scammers have started targeting Google services, to index bogus web pages that contain fake bank branches and customer care numbers. Also, it is simple to list a business on Google, because there is no detailed verification process. In 2018, police busted a scammer who was running a fake branch of Karnataka Bank in UP’s Ballia.

How are fake banking services provided?

  • The scammer buys a domain name that closely mimics the targeted bank. They replicate the bank’s trademarks, logos, and website design, to give it an air of authenticity.
  • They set up telephone numbers which are advertised on the fake website. The scammer goes the extra mile, to convince skeptical users, by mimicking original caller tunes, hold tunes, and following standard operating procedures.
  • Sometimes, scammers even set up interim branches and kiosks, employing people at different levels, so that it appears to be a legitimate operation.
  • They then list themselves on Google services with seemingly genuine location details.
  • When a customer searches for a bank branch or customer care number, these sites appear as top Google search results.
  • When the customer calls the fake number or visits a fake branch, scammers slip questions about CVVs (Card Verification Value) or ask for OTPs (One Time Password) in the middle of the conversation.
  • They may even advise users to download and install certain remote desktop sharing apps or open links that give them the control of the customer’s mobile device.
  • Scammers especially favour UPI (Unified Payment Interface) and other similar apps. They will ask for a victim’s UPI ID, and convince them to accept 1 rupee on the app. Wherein, instead of accepting money, unaware and inexperienced users, will in fact be remitting a large amount from their account.

Are there precautions we can take?

  • Stay abreast of scammers and the different types of online scams.
  • Proactively monitor the surface web and alert authorities of any scams you have identified.
  • Inform targeted banks about such scams. It will also help them to initiate the takedown of such sites and apps and ensure others don’t fall prey to these scams. 

If you have concerns about your organization’s security posture, contact us: Request a Demo now.