FinTech. And what to protect?

Hello everyone,



Minutka deanona, my name is Anatoly Makovetskiy, I am Security Team Lead at Exness.



I will immediately apologize to those who expect to see a technical write-up, it will not be here. Also, the material describes things that are so obvious at first glance that it is not even a fact that they are such, but you can reasonably ask me how I was hired and when I will stop pretending to be safe (answer in the picture under the cut).







They drove.





Image: Telegram channel Information Security Memes (https://t.me/infosecmemes)



My previous several years in the profession have been shaped in technology companies, and as an information security specialist, I protected ... information (cap), although wait if understand, as is customary in our industry, sometimes there was a good admixture of system protection, without a big real difference, what kind of information they contain, how important these systems are to business, is there something more important now, and other conventions.



Agree, it's so cool in the absence of strict management, well-built processes, clear priorities and other happiness, jumping from system to system, finding beautiful bugs on the surface or a little deeper on the basis of someone else's fresh research or your own experience, showing impressive ways of using them. This really allows you to build a dialogue with other IT teams and earn some credibility. Somewhere I was carried away ...



Yes, that's right, real information security is based on processes, ISO, 27k in the teeth and went to take out the brains of IT and top management, we will tell everything, we will explain everything, justify and show, no one will argue, because it is necessary, but will our processes in the fields become better from the introduction of the next standard?



In fact, the message is that you need to try to move to the root idea, to comprehensive and balanced protection of valuable business assets, and not to “patching” security, otherwise it will look like this:





Photo: s.66.ru



You are me sorry just for such extreme examples on both sides, I understand that this can not be brought to the point, but in my own experience I was carried from one extreme to another, exactly as written above, so I deeply hope that there is a decent adult audience here , and my experience is insignificant against the background of yours, since I started with the most complete paper in its worst manifestations, then smoothly through IT I moved to practical areas, so I rushed from one extreme to another, saw those who sat in these extremes next to me, so I was not alone there and I will note one thing:



, , , , :


  • , ( ), , , , , ;
  • , - , , , , .


Both approaches have their positive sides, since insufficient attention to each of them generates its own separate risks, but the truth is in balance, otherwise security for the sake of security is obtained somewhere near the very spherical horse in a vacuum. Here we come to one more obvious evidence:



  1. Information security officers drown for the need to protect everything and everyone, often without setting real priorities, and rejoice at any opportunity to publicly lynch someone proudly frowning their eyebrows to prove themselves when someone violates a built or unfinished process.
  2. Practical security guards often focus on not allowing vulnerabilities to be present anywhere, as this potentially compromises the entire environment, but also has prioritization gaps, giving higher priority to a more vulnerable system than a more sensitive but less * vulnerable one.


Note: *
, , , .



Often we rely on someone else's experience, on someone else's priorities, which we read somewhere, which are not always incorrect and inappropriate, but often not optimal enough for specific conditions, from the Quick Start category, which sometimes, nevertheless, can be justified when tumbleweeds and kites are circling around, and obviously better than nothing, but the business, meanwhile, lives on its own.



By the way, what about the dialogue between business and security? In my deep opinion, we (security guards) very often try to sell to the business what it does not understand, what it does not really need and what does not relate to it very much, or we do not even try to sell anything. That is, our argumentation as representatives of security is based on the ideas and foundations of our own industry, from which business may be very far away, and we need to motivate in clear language and reasonably, then the effect will be more predictable, longer-term, and business involvement is higher. Ultimately, we should go to the business for the budget, no matter how much we want it to be the other way around :)



Why do businesses need us at all? Sometimes security is needed for show, as it is simply required. Let's leave such cases, and talk about cases when security appears due to an understanding of the need for it. The right business wants money to comprehensively assess potential risks in advance, to deal with them in advance, as well as to timely and effectively respond to threats that are being realized, draw conclusions from them for the future and become stronger. That is, we are hired to help, but how can we help?



First of all, you need to understand how the company makes money in this way, what it does and what it strives for, and then with all our might to protect it. If a business is breeding chickens that lay eggs and end up on the tables of kind people as food, then let's protect the chickens, their eggs, the processes around them and the way they are delivered to the tables. If the business is engaged in Big Data, then let's protect this very big-date, computers, raw data, algorithms and everything connected with it.



So, to my great regret, only a small part of colleagues in the shop in reality in practice comes to the realization of the weak efficiency of an approach inconsistent with the business and to the subsequent implementation of a working model of work on business priorities. And what allows us to identify real threats? That's right, modeling them.



Let's step aside for a moment and imagine the overall threat modeling process as I see it:



  1. We define the valuable assets of the company, and the valuable ones are those, the violation of the properties of which ultimately leads to losses, according to experience, which ultimately boil down to financial, directly or indirectly, if we are talking about a commercial company. Here, as a rule, we get this or that information, which we must protect out of our own interest or for regulatory reasons. I didn’t have a chance to work in gold mines, maybe there is not information in the first place.
  2. We rank those most valuable assets in order to somehow prioritize.
  3. , , , , , ( , - , , , , ).
  4. .
  5. , , , , , , .
  6. .
  7. , **, .


: **
. , , .., , , , , , , , , .



So, earlier, from experience, I always had information with the protected asset, this was enough to build protection, but when I came to Exness and started to form a model that takes into account local peculiarities, I could not part with the feeling that something was missing, that something then the important thing was missed until it dawned on me (yes, laugh at me, the security impostor writing this post, and the obviousness of what is happening):



"There is money in fintech."


Any company has money. Any company, at least sooner or later, pays wages to employees, rents an office, conducts some kind of economic activity and provides work for the accounting department, but this boils down to having a bank account, or, in addition to a payment system integrated with the website, but fintech has real money, while external users work with it, and a good part of operations with it is automated. Oops ...



Now let's imagine that in addition to a bunch of business-relevant and other protected information, yes, including credits and keys from Internet banking, which everyone has and also about money, you have at least real money of clients that they make to your accounts within your systems. That is, in fact, inside systems, this is the same information as everything around, but in fact it is money that is transformed into information and back at the boundaries of systems, but you should not treat them as ordinary information.



The image below shows a flow diagram of one of our products :)





Image: “DuckTales” series Walt Disney Television Animation



Also, moving away from the paradigm that we only protect information made it possible to understand another type of valuable resource that I had previously neglected, but it is present in everyone, although it is rather ambiguous - a relationship that can be a partnership with a customer / traffic provider, or with a communications / security / infrastructure service provider. Of course, before I always implicitly considered this, but in the context of the implementation of a threat in a vacuum, from the category of Business Continuity Plan and Disaster Recovery Plan, but here it has transformed in consciousness into a fully conscious asset that is worth identifying and protecting, which expands our coverage, so how we begin to move in this respect not only from known threats, but also from the asset itself, as from an object potentially exposed to unknown threats, but this is not about that now.



If you look closer, you can see money from all sides:



  1. At a minimum, there is all the same economic activity as in any other company.
  2. There are products that are related to financial transactions and the speed of their implementation, which contain the real logic of the entry and exit of funds, that is, money cannot be removed to a distant safe and only given a look at them once a day after a special ceremony with "bows" and complete “undressing”. They need to be driven in systems, and the faster, the better for business, often.
  3. There is a huge bunch of different payment systems and other tools, each of which has its own implementation of interaction, restrictions and integration features.
  4. There is an infrastructure in which the products operate.
  5. , ; , ; , ; , - .
  6. , .


As a result, there is a huge number of joints of assets, systems, users, employees, partners, processes, and, as a rule, we receive the main threats at the joints, and additional joints create new threats.



All this means that at the root lies not only information or data that is familiar to information security officers, but also assets of a different kind, like money, which, given such a scale of "disaster", is quite difficult to shift exclusively onto information and data that are familiar to all of us. The implementation of a threat against some familiar type of information does not always lead to damage, and in the case of money, each transaction has a minimum known and unambiguous value, especially when we are talking about their rather fast passage, which can only increase from the nature of the threat.



That is, in the case of Internet banking or crypto-wallets, you have credits / secrets / keys to access them (summarized by the word “secrets”). Secrets are information, but there are also processes, procedures and ceremonies for working with them, and a relatively potentially narrow circle of people to work with them. Here, too, the concept of information protection does not break, but when we move on to the stage of passing the payment logic directly or indirectly through everything around, as well as to “smearing” money across different products and systems, the situation becomes much more tricky :)



In the end, the only thing we should hope for is our connection with business and our good understanding of it, which translates into a certain internal expertise, which we can and should continuously pump and immediately shift into an actual threat model, which in turn we must impose on the features of our systems in order to prevent rupture and randomness, and, as a result, meaninglessness in all our work.



Forgive me that there are so many words about such a short thought, but I would like all of us in the information security industry to once again think about what and how we do, and if we are given such an opportunity, then do everything right, so that all stages were coordinated with each other, and if such an opportunity is not given - to fight for it, if it's worth it, otherwise we will always be several steps behind the attackers, since they usually know their goals well and follow them, unlike us.



If this material does not fail in full, then I will try to reveal in more detail and practically-oriented the main approaches, “tools” and subjective vision of such topics as:



  • My “bike” on the topic of threat modeling (if there is a demand for it, since there are enough bicycles even without mine);
  • (Not) trust and safety;
  • Bug Bounty, how we do it and what we strive for;
  • Remarks about the peculiarities of the Russian-speaking market of information security specialists after a long experience as an interviewer;
  • What should drive security.


If the material came in - add, if the failure - drown in the comments. Always happy for constructive feedback, be it positive or not.



All kindness and a balanced professional approach!



All Articles