Interview with the vice president for security of Tinkoff of Bank

TAdviser: Stanislav, what types of cyberthreats you consider the most characteristic in the bank industry?

Stanislav Pavlunin: For a start I would like to tell about features of business of bank. Tinkoff Bank is not classical bank, but the IT company with the banking license. We have no offices, and all questions arising at clients are solved remotely. In staff of bank there is a large number of developers, administrators of systems, representatives of third parties whom we involve on an outsource. We need to control the employees working far off. We control such specialists on points of entry in infrastructure of bank. Activity of the employees having remote working access to the internal systems is also controlled.

Risks which are inherent in the IT companies are characteristic of us. Also in a trend the target attacks which a side Obock go with social engineering, and DDoS attacks which did not disappear anywhere. With these phenomena to work much more simply, than with viruses which malefactors write for purposeful actions. Standard antiviruses do not detect harmful objects which are written for subject to the attack. Systems which allow to fix such target attacks on specific financial institution and to reveal risks on the fly is other class of security.

TAdviser: If Tinkoff Bank is the IT company with the banking license, then using what tools you secured yourself against the risks inherent in classical banks?

Stanislav Pavlunin: Certainly, in Tinkoff Bank there is a classical part which is characteristic of any bank, is a DLP system, an anti-virus system, the system of access for users to databases, control of users to which different connections, additional options, such as ICQ, Skype and so on are available. Also there is a component caused by specifics of work of bank. As for specific solutions, we use products of the leading world vendors entering analytical reports of the Gartner agency.

TAdviser: How regularly do you book security audit in bank?

Stanislav Pavlunin: We have several regular audits. There are information security audits which we are obliged to make in the terms regulated by the regulator – the Central Bank of Russia. As a rule, such inspection is carried out once a year.

There are security audits which we will organize concerning a number of the critical systems within month or quarter. According to internal regulations an inspection of systems is carried out every three months.

TAdviser: What large projects in the field of security did you implement in 2013-2014?

Stanislav Pavlunin: We implemented a set of projects in the field of information security in 2013-2014.

For example, we implemented the project on system implementation of the class Mobile Device Management. Many employees of the bank want to have access to mail, to respond to messages, to be mobile and effective out of office. Earlier access to the device was issued via the mail server. At such implementation there were risks of loss of work files and data as a result of loss or theft of the device. All information went on the "unprotected" communication channel. Options of interception could be the most different.

We long looked for the solution in the market, addressed Gartner estimates. As a result we stopped on one of five vendors. This solution allows to keep all working mail on the device in the password-protected container. In a container the work calendar, mail, notes are located. Mail transfer from the server of bank on the end device is performed via a secure channel.

If the user lost the device, then not always at once reports in a support service that it set mobile corporate services Tinkoff Banka. And here the operator on security through MDM can quickly react.

The concept of BYOD actively develops, Tinkoff Bank aims to be one step away ahead of classical players. A year ago users of BYOD there were about 150, and now their quantity exceeds 300. Last year specialists of bank finally implemented a DLP system, having bought in addition the module for control over e-mail, web traffic, remote workstations and end users.

In 2014 a SIEM system was implemented. It allows to collect and correlate all a log from all devices of network which are, to show rules, unusual situations and to inform without delay on emergency situations of the officer of cybersecurity. A SIEM system processes a log and makes correlation. To the operator now to spend to anything time for manual search of object incidents: a system provides a certain preliminary result with which the specialist needs to examine and make the decision.

It is a certain web gateway in bank on which in a protect mode register a log about an input in corporate systems of remote workers and administrators. In case of an incident, we specifically can find the reason and draw conclusions to the future to avoid similar effects.

Last year we completed the project on protection of databases. For this purpose we purchased and implemented the serious solution. First of all those bases where crucial information on clients contains are protected. The department of security of bank was an initiator of all projects connected with information security. Management of information security which interacts with IT department is its part.

TAdviser: What projects in the field of information security you are going to implement in 2015?

Stanislav Pavlunin: One of the largest projects which now on implementation phase, is protection against the APT attacks. We long tested big, complex systems which allow to catch the specific attacks and to counteract them. Perhaps, the number of users corporate systems will increase in this connection will gain development of the MDM solution.

TAdviser: Whether you separate incidents on responsible and channels of incidents?

Stanislav Pavlunin: Of course, at us it is accepted to separate responsible into external and internal, and incidents – on channels as it is necessary to understand how to prevent possible attacks to bank and to minimize amount of risks. At us everything is automated in respect of information security, we also carry out the permanent analysis and we improve processes of cybersecurity.

The main channels which are exposed to risks it is the most important communications systems. First of all it is about corporate mail. If problems of spam are solved by specialized means, then for information loss prevention we have a DLP system. Risks that the specialist of bank can intentionally or it is not conscious send the service information on the mail channel, exist always.

The second important channel of interaction of employees with bank – the web channel. Here too all of us carefully control. Depending on functionality, different Internet access is provided to employees, and only the certain list of the websites is resolved some workers. For the last year the number of violations from personnel was considerably reduced. I am sure, the more the employee knows about rules of work in bank and information security, the less he breaks something.

TAdviser: How do you increase literacy of employees? Whether lectures on information security are based on real cases?

Stanislav Pavlunin: Really, for employees of the bank we started the training program. Without fail new specialists are trained, receiving necessary skills on work with corporate mail, the Internet, with removable mediums, antivirus protection and so on. We made the program interactive that it really was interesting to listeners.

Sometimes cases from our practice become a basis for lectures. For example, last year the bank underwent powerful DDoS attack. Information security specialists set contractors and together with law enforcement agencies brought them to trial. We made a good lesson for listeners of this case and took out a lesson for ourselves.

We strengthened external systems and established cooperation with the companies which provide specialized services in cleaning of traffic from DDoS attacks. As a rule, we change the training program of times in half a year, we upgrade it or we remove outdated elements.

TAdviser: Stanislav, whether you welcome application practice of attraction of anykey-of specialists in the field of information security?

Stanislav Pavlunin: Involvement of anykey-specialists to the sphere of information security – is enough matter of argument. Of course, this approach is welcomed by any commercial organization where there cannot be a large number of employees, as in Sberbank.

Such specialists can be necessary in very narrow areas. For example, within information security there is one of the directions are means of cryptographic information protection, work with certification center, release of certificates, tracking of vital release of certificates, execution of licenses of FSB and so on.

Here the anykey-specialist who worked in this area earlier and understands all specifics of interaction with intelligence agencies will be just necessary. Yes, from time to time we involve such anykey-employees.

TAdviser: What global or local trends will define processes in information security in the next 2-3 years in the industries close to you: classical banking and IT?

Stanislav Pavlunin: I consider that there will be a gain of state regulation of banking sector. In my opinion, the Central bank does right thing when it strengthens regulation. The companies, in turn, will resist to the increasing calls of hi-tech swindlers and hackers. All this will occur against the background of development of the IT industry and technologies. Together with it, new threats to which we will be forced to resist develop.