Get best of the week

Enhancing the culture of information security in fintech companies

image

Modern companies require a special approach to information security. The information security department ceases to be only a supervisor and controller, begins to actively talk with people, and becomes a full participant in business processes.

Exness fintech company has over 70,000 monthly active customers worldwide, and the entire business is online. Data is our main asset and driver, therefore information protection is priority No. 1.

Exness employs over 500 people. About 150 are employed in R&D and IT, many technical support staff, sales managers, antifraud and compliance services. One way or another, they work with sensitive data or have access to important functionality, internal information, code, admin consoles. An unintentional mistake or lack of awareness of the staff can cost the business millions. You don’t have to go far for examples: news is full of messages about leaks from an unsecured Elastic, MongoDB storage server or S3 bucket, often caused by a human factor.

Man is the weakest link in information security, so we set ourselves the task of improving the culture of information security among employees. We share our experience of what we have done for this and how we evaluated the results.

We divided the task into two directions:

  1. Improve understanding of safety issues among technical teams.
  2. Improve understanding of security issues among all employees, including non-IT professionals.

We will conditionally call these areas “organizational” and “technical”. Work in the first direction is to convey common issues of digital hygiene, modern threats, countermeasures, and possible consequences for business. 

The second direction is more specialized in nature. Technical specialists must comply with information security rules in the course of their work, while they must know not only why this should be done, but what exactly and how.

Purpose - Security Awareness


Security Awareness is a key concept of information security in a company. Employees comply with information security rules if they know, understand and share them. 

To convey the rules to employees is a clear task. Motivating to follow the rules is already more difficult. We know that using seat belts in a car or washing hands with soap and water significantly reduce the likelihood of bad consequences and do it automatically, without moral suffering. How to get into the habit of “washing hands” before working with data?



Security Awareness begins with the realization that risks can be realized. You, your system can really be the target of attack. Through understanding habits, digital hygiene becomes part of the work environment and internal culture. In other words, employees follow the rules of information security if they understand why this is necessary and how high the risks are. There is no internal resistance in this case.

Sheriff or preacher?


Modern companies pay great attention to the comfort of employees and their psychological state. This means that it is rather difficult to apply repressive measures even in the field of information security: a balance must be kept between freedom of action and rules. We believe that understanding threats and a sense of responsibility for a business works better than fear of punishment. And the key to the effective implementation of information security is communication with employees and understanding of the problems of each product and each team.

From theory to action! 


So, how does our team introduce a culture of information security at the organizational and technical levels?

Employee training and involvement


For new employees, we will make a presentation about how the security processes in our company are organized, how to protect ourselves from the simplest household risks, such as phishing, password leakage, and malware infection.

For all employees, we conduct workshops (OSINT, brand protection, blind sql injections, lab machines pentest, cloud-specific hacking techniques) and make presentations at internal events. Regular internal training and live demonstrations are very important. Examples of exploitation of typical vulnerabilities work better than long lectures. An explanation on the fingers of what asymmetric cryptography is, why a token is needed and the easiest way to use Vault is to save a lot of time for technical teams.

Corporate Social Network Security Mini Blog


We try to maintain a constant stream of posts from the IB team. Our colleagues should see that we constantly keep abreast, give advice, announce innovations, try to interest and attract each employee.



Regular mitaps, exchange of experience


On the roof of our office in Limassol, in addition to beautiful views, there are all the possibilities for meetings for 100+ people, which we regularly use. Two or three times a year, we gather specialists and discuss application security, risk management, devsecops practices and other issues. The events are attended by company employees and representatives of the local IT community, and here our main task in terms of the formation of internal culture is to show that information security issues are interesting and important.



Internal phishing


Many employees do not believe that opening a link or document can be harmful or not sufficiently vigilant. Carrying out internal phishing campaigns, we get statistics on the organization, which people make mistakes most often, and constantly improve the internal training program in terms of protection against social engineering and phishing. We also get confirmation that phishing works.

Food safety


To promote a culture of safe development and a better understanding of security issues by developers, we have implemented the following practices.

We constantly communicate with product teams


We go to sprint reviews, architectural committees, periodically discuss current problems and problems with technical teams. So we become involved in each project, we better understand the atmosphere and relationships in teams. We can make recommendations on the fly (what, why and how to protect) and fix the tasks in the backlog. 

We develop an external bug bounty program on the HackerOne platform


For more than three years, we have engaged external expertise to search for vulnerabilities in our infrastructure using the HackerOne platform. In a year we spend more than $ 50k on remuneration payments, which is quite a bit compared to possible losses. If you do not have a bug bounty program, we recommend that you start it. For relatively little money, you get a virtually infinite pentest.

We also use reports on vulnerabilities and potential consequences that “someone from the Internet” found. This information helps the business to decide on increasing the priority and strengthening the requirements for information security in new products, introducing additional checks at the QA level and automated controls.

We are looking for (and find!) Security Campaigns in commands for local product security control


In modern realities, when using Scrum / Agile models, it is important in each team to have at least one person who can act as a guide for your recommendations and “root” for the safety of the product. Ideally, you need a full-fledged security expertise in each team, but resources are always scarce. After some time, a Devsecops or Application Security specialist can grow out of Security Champion, so this is a good opportunity to change the focus for a product engineer or developer. In our case, we managed to find both devops and developers who significantly improved their understanding of security issues within teams.

How we set information security tasks for product teams


To organize the work, we use the OWASP ASVS methodology in combination with the described business risks. For each team, we introduce a list of controls - product safety requirements. It looks like a set of recommendations, in which each measure of protection corresponds to its own risk. The document clearly shows what has already been completed, what is planned, and what risks at this stage of the product life cycle are accepted by the business.

Thus, the technical teams see what needs to be done, and the relevant risks show the business why it needs to be done, what potential consequences may occur if it is not fulfilled.  

If something has not been done, we believe that the corresponding risks are accepted, and for each product we draw up a technical security debt.

An example of controls and relevant risks:



What is the result? 


To measure the effect of all activities, we use indicators that, in our opinion, reflect the dynamics of the penetration of a safety culture at all stages of the product's life. 

In the technical direction of our efforts, we use two main indicators.

1. Product Safety Index

This is a two-part integral indicator. The first part is a lagging metric, it talks about the current level of product vulnerability. The second is predictive, talking about potential vulnerabilities in the future. By conducting regular measurements, we can timely draw the attention of teams to problems with a specific product and help solve them.

  • OWASP WRT — . , .
    -, . 
  • OWASP ASVS 3.0. , .
    - , . , , .

2. The result of a regular pentest performed by qualified external companies

Based on the results of external penetration tests, we correct the vulnerabilities found and draw conclusions in order to avoid the repetition of similar situations. 
Even good results do not allow us to relax, new threats and attack vectors appear every day, attackers become more inventive.

In the organizational direction, the results are more subjective:

  • We receive more messages from employees on potential vulnerabilities and incidents than before. Employees understand the importance of timely communication.
  • Product teams come in the very early stages of the project, and there is an understanding that preventing a problem is much easier than fixing it.
  • , . , API, , .
  • GDPR — , , , .

?


  • ( , , , );
  • ;
  • KPI ;
  • , ;
  • Use a high and proven level of product safety to gain a competitive advantage.

We made sure that a good level of security can be achieved not only by punishing, forcing and intimidating the team through politicians and the NDA, but also by using a different approach - explaining the risks, involving people in the process of creating and following rules, studying and taking into account past mistakes.

More articles:


All Articles