Technology cloud report original.
As the curtain of the 14th Five-Year Plan era slowly opened, the road to domestic financial security construction has entered the second half.
On the one hand, while financial technology adopts a large number of new technologies to achieve business innovation, it also brings more hidden risks to network security.
On the other hand, with the further popularization of digital transformation in the financial industry, a large amount of important data such as personal privacy and asset information has increased exponentially, and the complexity of financial services has made it increasingly difficult to build a data security protection system.
As the network security situation at home and abroad continues to evolve, the financial industry, as a traditional heavy-regulatory institution, is facing more formidable risks and challenges than ever before.
With the advent of the era of "combat-oriented" network security construction, how should financial institutions continue to improve the systematization of network security and build a strong financial network security barrier?
On March 23, at the "Fintech Security" sub-forum of the 2023 INSEC WORLD World Information Security Conference, many front-line practitioners of financial technology from Zheshang Bank, Soochow Securities, Minsheng Bank, Bank of China Securities, Guancheng Technology, etc., The practice and experience of financial security construction were shared from different angles, and a brilliant financial security "Huashan Discussion" was staged.
Financial data security, building a multi-span collaborative data security overall system
Nowadays, data has become an important factor of production, and the development of the digital economy has risen to the level of national strategy. This year's government work report of the two sessions pointed out that in 2023, the digital economy will be vigorously developed.
However, the continuous improvement of the digital economy is inseparable from the guarantee of data security. In recent years, major data security incidents in the financial industry have occurred continuously, and the cost of data security violations and incidents has become higher and higher.
my country has further strengthened the supervision of the financial industry, and has successively issued industry standards and regulations such as the "Financial Data Security Data Security Classification Guide", "Financial Data Security Data Life Cycle Security Specifications", "Data Security Measures for Banking and Insurance Institutions", and the People's Bank of China. Issuing the "Fintech Development Plan (2022-2025)", reiterated the importance of data security in the top-level design of the industry time and time again, and quickly raised the importance of data security in the entire industry.
Although the era of strong supervision of financial data security has arrived, it is undeniable that there are still many pain points in the construction of the financial industry data security system.
According to Luo Jian, the information technology risk prosecutor of China Zheshang Bank Headquarters, the biggest pain point lies in the extremely large amount of data in the financial industry, many data leakage channels, many internal employee cases, a long data supply chain, and strong liquidity of data assets. Although data has great potential as a factor of production, it is also difficult to manage, so there is a natural contradiction between security and data use. In addition, although the regulatory system has been introduced, the corresponding measures and technical means have not kept up.
Luo Jian, Information Technology Risk Prosecutor of China Zheshang Bank Headquarters
In this regard, Luo Jian introduced China Zheshang Bank's construction ideas and practices in data security management. He said that the core lies in "building a multi-span collaborative data security overall system", including three parts: management system, technology system, and risk system.
First of all, the management system is mainly the organizational structure, management norms, and process mechanisms.
The data security assurance management system is not to start from scratch, but to integrate the existing network security, and Unicom business departments form a multi-block coordinated security system.
On the basis of the network security responsibility system, hierarchical management is carried out, and a complete system of policies, regulations, and guidelines is formed in terms of system norms. In terms of talent echelon, the overall goal of data security is oriented, and the talent echelon is continuously improved through various means.
Second, the mechanism system includes big data, AI, encryption, security technologies and products.
This system does not start from scratch, but integrates existing security products, and promotes capacity building in five aspects through multi-span collaboration and multi-platform connectivity, such as: protection capabilities for full coverage of core leak scenarios; real-time monitoring of sensitive data flows Monitoring and discovery capabilities; terminal, network and other multi-level data collection and analysis capabilities; real-time response capabilities to security risks; unified security strategy implementation capabilities.
Finally, the operating system needs to ensure data security throughout the entire process of data collection, transmission, storage, use, deletion, and destruction.
Under the guidance of the management system and the support of the technical system, combined with the application scenarios, the data security guarantee is organically integrated with the production business, and the operation coordination across business lines is completed, the risk of leakage and capital security risk is reduced, and the security of financial data is guaranteed.
Among them, the inspection and evaluation link focuses on elements such as data assets, security vulnerabilities, and emergency response capabilities, and builds a solid foundation for data security through various operational actions such as evaluation, drills, and confrontation;
In the continuous operation link, from pre-risk prevention, to monitoring and early warning during the event, to emergency response after the event, build a full-process data security operation system and protection system.
In addition, according to Luo Jian, China Zheshang Bank is currently exploring the road of data security sharing. Through multi-party secure computing technology, it can realize joint calculation and modeling of private data of application partners, so that data can be gathered, moved, and shared. Use it, live it up, and make data sharing more secure.
The security of financial business comes from the security operation capability of the whole process
Looking at the digitization process of the financial industry, taking banks as an example, in recent years, they have experienced branch informatization, online banking, mobile banking, and today's smart banking, and may develop into open banking in the future.
At present, the vast majority of banks are in the development stage of smart banking, that is, using technologies such as big data and artificial intelligence to provide customers with personalized and differentiated services.
As a result, the risk scenarios faced by the banking business have also shown diversified changes, and the exposed attack surface and attack points have also shown explosive growth.
Especially since the outbreak, all kinds of gambling and fraudulent gangs are also accelerating their online transfer, and using AI technology to continuously upgrade their confrontation with the bank's risk control system. High-tech gambling, fraudulent and money laundering cases continue to show a high incidence .
For financial institutions, the current business fraud and data leakage risks continue to intensify.
So, how should financial institutions improve user experience and business empowerment on the premise of ensuring security and compliance?
In this regard, Dr. Wei Wei, Security Manager of China Minsheng Bank, shared the practice of Minsheng Bank's business security capacity building in the context of digital transformation.
Dr. Wei Wei, Security Manager of China Minsheng Bank
Wei Wei said that the overall idea is to establish a full-process business security defense capability, including before, during, and after the event.
Synchronous planning and synchronous design should be carried out with business project approval and requirements in advance. During this process, it is required to evaluate and formulate scenario-based security strategies together, as well as security assessment of the entire technical solution to ensure security at the business logic layer, and then at the development level. safety.
To achieve real-time detection and rapid disposal, the application and implementation of the entire security certification strategy and security certification tools, followed by the identification and response of the risk policy model.
Afterwards, black production gangs are identified based on the offline mining model, and prevention and control are carried out in advance. Secondly, intelligence is monitored and used, which can be linked to a closed-loop operation beforehand.
At present, the effectiveness of Minsheng Bank's business security construction is mainly reflected in two aspects:
One is transaction security, improving the ability to protect customer transactions and improving customer experience.
Based on 130 risk prevention and control strategies, provide real-time protection services for 100 high-risk transaction scenarios in online and offline channels such as mobile banking, online banking, and open banking, and protect customers through interactive protection measures such as automatic interception and enhanced authentication. transaction security.
The second is to excavate and counteract black production. Through the establishment of an active monitoring mechanism for online black and gray industry business, and at the same time, measures such as interception, control, and countermeasures are taken against the discovered black industry gangs to improve the ability to prevent risks.
Based on the practice of building business security defense capabilities in the past few years, Wei Wei said that he has three points of view to share:
First, the essence of a bank's digital transformation lies in the openness and integration of platforms, data and business ecology, and continuous innovation to improve financial service capabilities.
In this process, the bank's business is continuously open, data assets are continuously expanding, offensive and defensive confrontations are constantly escalating, and security defense requirements are constantly increasing.
Second, under this trend, banking business is the fundamental source of demand for the construction of bank information systems and the flow of data assets, the main target of cyber hacking attacks, and the central object of bank security protection and services.
Business security defense capabilities must be an essential part of the bank's information security defense system.
Third, the establishment of a full-mode, full-process business security solution is the cornerstone of business security defense capability building, and sustainable and efficient integrated closed-loop operation capabilities are the key factors for the success of business security defense.
The blue army construction of financial security from the perspective of attack and defense
The essence of network security offense and defense is a game. As the saying goes, "If you don't know the attack, you can know the defense." In recent years, in order to assess the security of enterprises and find that the risk points within the organization are in the field of information security, there have been more and more "red-blue confrontation" offensive and defensive drills.
Compared with traditional penetration testing, the blue army drill in the red-blue confrontation is closer to real attacks, generally including online business, enterprise personnel, partners, suppliers, office environment, physical buildings, data centers, etc. .
Among them, the Blue Army aims to realize full-scenario and multi-level attack simulation to measure the defense level of enterprise personnel, network, application, physical security control and protection system in the face of real attacks. Another important significance is to broaden the defense Vision, both offensive and defensive.
In this regard, Jiang Qiong, head of technology risk and security at Bank of China Securities, shared the practice and experience of building a blue army in the securities industry from the perspective of the blue army.
Jiang Qiong, Head of Technology Risk and Security, BOC Securities
Jiang Qiong said that even when the number of security personnel is limited, it is necessary for enterprises to build an internal blue army. The main goal is to actively discover security risks within the enterprise in a lightweight and sustainable process.
Lightweight means that the overall investment is limited. After all, any attack has a cost. Enterprises need to choose the best practice while considering resource endowment.
At the same time, lightweight is also a sustainable guarantee. With the sustainable investment in financial technology, the security operation system can also reflect sustainability.
Regarding how to build a corporate blue army, Jiang Qiong said that there are four principles:
One is that the operation can be audited and the data will not be leaked. A good platform is very effective for overall security operations, including simulating attack tools, auditing attack operations, and checking backtracking.
The second is to attach great importance to the construction of the Blue Army. The blue army must be highly valued within the enterprise, and sometimes even authorized higher than the security group.
Trust is important because of the independence required to continuously identify risks across the enterprise.
The third is the construction of talent team. Human nature is the breakthrough point in many places. We must recruit capable talents in their respective fields to ensure that the organization can cooperate in various fields.
The fourth is the review mechanism. When a security incident occurs, an internal sand table can be used to conduct offensive and defensive deduction, to form a routine, to review and respond to the incident, and to be able to flexibly switch between offense and defense.
Jiang Qiong believes that the goal of security work is to "moisten everything silently". No matter whether the enterprise's security construction is a large SOC or a small SOC, it must have division of labor and coordination like the army, and constantly absorb its own strength through external absorption. fighting power.
Under the trend of actual combat and credibility, the construction of financial security needs multi-dimensional development
At the sub-forum on "Financial Technology Security" that day, other speakers shared their experience in financial security construction from the perspectives of security testing and credible security.
Liu Chenxi, deputy general manager of Beijing Guancheng Technology Co., Ltd., said that today's network threats have turned to encryption, and finance, as an industry that embraces new technologies, is facing more attacks at the network level.
Liu Chenxi, Deputy General Manager of Beijing Guancheng Technology Co., Ltd.
Attackers generally go through several stages such as initial information collection, initial management, lateral movement, and hitting the target. Different encrypted traffic will be generated in these stages.
Aiming at the challenges and threats posed by encrypted traffic, Liu Chenxi believes that a comprehensive decision-making system including AI should be used for detection.
First of all, by collecting encrypted traffic data used by malware, starting from the protocols, certificates, etc., disassemble the multi-dimensional related abnormal characteristics.
Second, train the machine learning model and use multiple model combinations to make relevant threat judgments.
Third, due to the particularity of security threats, machine learning often has certain limitations, so it is necessary to comprehensively observe its behavior, fingerprints, characteristics and other elements to make comprehensive decisions.
Xu Junchao, head of the information security management team of Soochow Securities, said that network security technology can only be safe and credible if it is autonomous and controllable. Self-control is not only a national strategy, but also a new driving force to promote national economic development under the current situation.
Xu Junchao, Head of Information Security Management Team of Soochow Securities
In order to ensure the security and credibility of network security technology itself, it is crucial to build the core capabilities of a trusted protection system.
In this regard, Soochow Securities has comprehensively built a security innovation system in the field of trusted protection, realizing host-based trusted protection, effectively resisting unknown threats, and realizing independent resistance to attacks and intrusions just like the human body's own immune system.
The first is the innovation of the security system architecture, which builds a multi-immunity trusted computing environment, provides active immunity, security and trustworthiness guarantees for applications, actively intercepts system operation elements, makes credible judgments according to predetermined policy rules, and timely discovers and prohibits Behavior that does not meet expectations, to ensure safe and stable operation throughout the process.
The second is the innovation of trusted computing and cryptography technology, which uses algorithms to fully replace the encryption algorithms used by the current continuous immune system, ensuring security, credibility, autonomy and controllability.
The third is the innovation of trusted network connection. In a centralized management network security environment, a three-circle and three-layer trusted connection architecture is adopted to effectively prevent internal and external collusion attacks.
epilogue
While the digital economy brings development opportunities to the financial industry, it also poses huge challenges to financial security.
Under the trend of the country strengthening financial security construction, the network security construction of financial institutions is moving towards the direction of "emphasis on actual combat" step by step.
In the collision and confrontation of viewpoints at the 2023 INSEC WORLD "Fintech Security" Forum, I believe it can bring thoughts and insights to fintech practitioners.
[About Science and Technology Cloud Report]
Focus on original enterprise-level content experts - technology cloud reports. Founded in 2015, it is the top 10 media in the cutting-edge enterprise IT field. Recognized by the Ministry of Industry and Information Technology, Trusted Cloud, one of the official media designated by the Global Cloud Computing Conference. In-depth original reports on cloud computing, big data, artificial intelligence, blockchain and other fields.