Recently, the State Administration of Financial Supervision issued the "Notice on Strengthening Network and Data Security Management in Third-Party Cooperation". , Business continuity caused a certain impact, exposing the prominent problems existing in the outsourcing service management of banking and insurance institutions. All banking and insurance institutions are required to conduct an in-depth investigation of hidden risks in the supply chain in accordance with the reported problems, and effectively strengthen rectification .
Among the 5 technology outsourcing risk incidents mentioned in the "Notice", 3 of them were caused by hacker attacks due to security loopholes in the systems and third-party tools provided by outsourcing service providers. For example: In August 2022, the online banking system hosted by four provincial associations at a service provider was breached by criminals due to unauthorized access vulnerabilities, and a large amount of customer information and account information were stolen. Financial institutions are facing serious supply chain security management challenges.
01Challenges for supply chain security management of financial institutions
High reliance on third-party technology suppliers, supply cuts and information security risks surge
With the continuous deepening of digital transformation, banks, insurance and other financial institutions have an increasing demand for external information technology. Information technology outsourcing suppliers, as a professional force to make up for the shortcomings of traditional financial institutions' information technology, are playing an increasingly important role in the digital transformation of financial institutions.
Most small and medium-sized commercial banks even entrust all information technology infrastructure to external organizations, which will lead to: attackers may use suppliers as a springboard to attack enterprises, resulting in data leakage or business impact, or even violating regulatory requirements. be punished accordingly.
Financial Institutions Are Increasingly Targeted by Cybercriminals
The financial industry is one of the country's key information infrastructures, and the security of the financial technology system will be related to the stability of users, society and the entire country. With the increase in the degree of informatization of financial institutions, while information interconnection brings efficiency, it also exposes institutions to huge security threats.
According to data from the National Internet Financial Risk Analysis Technology Platform: As of the end of October 2021, a total of 74.768 million attacks on Internet financial websites have been discovered. APT attacks and precise cyber attacks against financial institutions are increasing day by day. The implementation of financial crimes through Internet attacks has become an important means of financial crimes, and financial institutions have also become the preferred targets of cybercriminals.
The level of third-party suppliers is uneven, and there are great security risks
Suppliers do not pay enough attention to product security, and developers have limited security development capabilities, resulting in uneven product security and quality of third-party suppliers. Due to the security loopholes in the research and development system, which were breached by criminals, and the lack of security control of outsourced service personnel, it is not uncommon for bank customer data information to be leaked.
The source of software is complex, and comprehensive security review is difficult
With the increasing demands of financial institutions for software procurement, outsourcing development, and invoking third-party resources, the software supply chain is lengthened, the number of implementation participants increases, and more security risk links are introduced. At the same time, different branches are fighting independently in software procurement, acceptance, operation and maintenance, and software security access standards are different, making the overall software security management of financial institutions more difficult.
02 "2 words" thinking on supply chain security governance of financial institutions
First word: full
A large part of the reason why software supply chain attacks have become an important method of hacker attacks today is that they are systematic and highly connected. The upper, middle and lower reaches are interlocking, and by "breaking" a weak link in the software supply chain, it can have an impact on the operation of the terminal enterprise software system. Such an attack effect of four or two strokes makes cybercriminals "come one after another".
Therefore, when considering the security governance of the supply chain of financial institutions, our primary idea is "full" - "full", which refers to all internal and external software systems (including outsourcing, outsourced, self-developed, etc.), without exception , Conduct strict security reviews at key nodes in the software supply chain; also conduct comprehensive and detailed security inspections on the inside of the software system from source code, components, application functions, operating environment, ports, binary files, etc.
"Network Security Cloud Software Security Online Testing Service" has provided professional and standardized security testing services for many large Party A companies, customized security access testing standards for software suppliers, and provided one-stop services for small and medium-sized financial institutions for software supply. Chain security detection requirements. There is also a team of gold medal security experts who assist in vulnerability verification and provide free re-testing after rectification to help customers achieve a closed-loop security.
Second word: Ming
Today, software security attack techniques are constantly being upgraded, especially security attacks targeting the software supply chain, which are highly secretive and difficult to trace, posing a great threat to the security of financial services. At the same time, information such as sources, dependencies, and open source licenses of internal software components of financial institutions is opaque and unclear, which will also make security risks more difficult to find, trace, and clear, and security controllability is weak, making it more difficult for system security risk emergency response work . Therefore, the second idea of software supply chain security governance is "clear".
"Ming" refers to opening the "black box" of software assets, sorting out and visually presenting basic information such as software versions, suppliers, and internal component information, as well as their associations, greatly reducing the "ambiguity" of software assets and helping finance Institutions can quickly find out their family background and grasp the independent and controllable power of system security.
Net Security Cloud software bill of materials management platform, based on basic information such as software/component sources and versions, and internal software component information, dynamically correlates external security vulnerability intelligence to track and manage enterprise software assets securely. Using powerful data analysis, processing and mining technologies, and multi-dimensional data visualization capabilities, the security situation of software assets is clear, and software security issues are invisible.
The security issues of every link in the software supply chain may become the entry point for hacker attacks. The embankment of a thousand miles is destroyed by an ant's nest, and every checkpoint in the software supply chain should be controlled, and small loopholes should not become scourges.
The above is the whole content of this issue.
If you are also interested in the above services and want to know more about them, you can private message or leave a message in the comment area~
References
China Business News/Qin Yufang: "Prevent Data Security Risks, Banks Rectify Outsourcing Business"
21st Century Business Herald/Li Lanqing and Wu Liyang: "Both connection and security are required, financial institutions meet new challenges in supply chain security management"