The Bank of Queensland has found some of its code in public GitHub repositories.
It likes to know these things.
BOQ’s head of cyber security, Hadi Rahnama, on Monday advised delegates at analyst firm Gartner’s Security and Risk Management Summit its worth trawling coding collaboration environments because, well, “sometimes developers share it.”
Rahnama did not elaborate on what was found online, but seemed unconcerned by the find.
It was suggested the code was not important and/or had not been accessed many times.
Interestingly, Rahnama counselled vigilance, but not prohibiting developers from using public collaboration sites point blank.
In his talk, titled “Cybersecurity journey through digital transformation” Rahnama also counselled it's well worth doing basic of security well.
He suggested well-known tactics such as assessing risk impact, implementing defence in depth, ensuring systems are secure by design and being proactive in security management as the foundation of the BoQ's efforts.
He also advised paying special attention to identity management, as in a large organisations such as the bank because it’s easy to lose track of who has access to what.
Rahnama has therefore implemented a policy of using only cloud services that can integrate with Azure Directory Federation Services, as BoQ uses that tool for single sign-on across its estate.
The bank’s use of that tool is sufficiently advanced so that departing staff will be logged off all services the bank uses, and locked out of any devices they use, at 17:00 on the day they leave the organisation.
Rahnama added that skills development is another cornerstone of the bank’s security plan. That emphasis has seen him in-source threat analysts, because he feels that it is more effective to combine domain expertise with expertise in the bank’s business.
He’s also had success hiring graduate analysts, who he said are cost-effective, dedicated, keen and can be brought up to speed reasonably quickly. Rahnama added because his graduates are well motivated, this can make them better threat-spotters than perhaps jaded older analysts.
The BoQ cyber chief advocated use of control testing in the form of regular penetration tests and red teaming exercises that see white hat hackers told to use any means possible including social engineering to penetrate the organisation.
The latter are particularly effective at finding vulnerabilities and that while the results can be scary, it’s something he intends to do periodically.
Control testing is also important because he worries that suppliers in the security ecosystem can introduce vulnerabilities due to the information they collect and its potential exposure beyond a vendor and into the wider world.
Governance was the fourth pillar of his plan.
Rahnama also offered some choice advice to users and vendor alike: “don’t fall for fake AI.”
He based that suggestion on tools he’s been offered that suggest user behaviour represents a threat if logins take place at unusual times of day.
He dismissed such warnings as mere “baseline analysis” passed of as AI, and suggested that vendors should be asked if they can accommodate users own algorithms for data analysis as a far better way to assess whether their tools really can deliver on the promise of AI.