Interview with Osama Hiji CSO of Banque Du Caire
Can you please introduce yourself to security Kaizen magazine readers (BIO, Experience)?
I am Osama Mohammed Hijji, graduated from Arab Academy For Sciences & Technology, 1998 from computer engineering department.
I am currently the Chief Security Officer for Banque Du Caire and I spent the last 10 years of my career working on security especially information/logical security mainly in the ICT industry in companies such as Orange and MobiNil, yet I worked and served as well in the health, publishing, military and now banking sectors through the rest of my career. I launched my career from the Ministry of Health & Population where I had my first job as a Network & IT Administrator in one of the ministry projects, and from there I moved forward through my career by leading later MobiNil OSS Team, then managing Equant Network operation and support for West Europe region and finally directing Orange IT Security Services Operation, Transition, and Creation activities manned from Cairo before I move to Banque Du Caire as CSO.
What kind of challenges and threats do you face as a CSO for one of the largest banks in Egypt?
I believe the greatest challenge facing the ICT sector today in Egypt and not just banking is the expansion in the use of IT in general and cyberspace (as Internet) in particular without provisioning for the required security measures. In most of the cases the expansion was a response for a business need or a market demand like internet banking an example; the state represented in the Central Bank of Egypt provided governing rules for internet banking only recently in November 2014 while the internet banking was offered by several banks in Egypt years before this and each bank decided according to its own standards how much it will invest in securing this service, customers information and money which was certainly not enough and hence risky and from there it was clear governing rules had to be issued. If you take this to a higher stage and look at the big picture, we need a governing corp in Egypt for information security that is lost between several authorities such as Ministry of Communication and Information Technology (MCIT), Ministry of Interior (MOI), and in the banking industry Central Bank of Egypt (CBE). I am not talking here about having a CERT team in MCIT and a Cyber Crime Investigation Unit in MOI, we need in the age of internet much more than that, an information security authority that puts and enforce governance rules and consolidates all related units working on this subject across the state for this important aspect of everything we do electronically. On a different topic as well we need to work considerably on spreading information security awareness among consumers and retailers in particular; people behavior simply need to be changed in regards to their credentials in case they want to use electronic services from Internet to ATMs otherwise they are exposing themselves to several risks from fraud to identity theft. Retailers as well tend to ruin everything large organizations are doing, a banks in generals invest millions of EGPs on securing their customer payment cards information which still finds its way to fraudsters who attack retailers with lesser investment in security hence less secure environment.
How many attacks that your bank is facing per month or per year? How are you dealing with them?
I am not in a position to disclose such information but I can tell you that all banks in Egypt are facing recently a surge in ATM attacks such as installing skimmers on card readers. Phishing attacks as well reached the the level of outbreak and are spreading in viral way not only over email and social media but as well in SMS
and even through published advertisements. It goes without saying that the security situation in Egypt had a significant impact on banks owned by the state
in particular which become a more likely target for both cyber and physical attacks compared to all other banks in Egypt; it doesn’t take a genius to figure out
that state banks websites are targeted by vandalism attack attempts more than any other banks as some terrorist groups would like to send a message this way
or create chaos or havoc in one of the very sensitive and important functions of the state. We are taking a variety of measures to face an incredibly and very
quickly growing spectrum of threats; we had first to “spread the word” i.e. raise the security awareness and educate our staff who needed to understand that the
world, technology and consequently threats around them are changing and they needed obviously to know what/where the new threats and how to respond to
them in order not only to protect the bank but as well to protect and educate the customers. Naturally all the banks have multiple layers of defenses to protect
their environment starting from internet gateways equipped with multi-stage resilient clusters of firewalls and IDPs down to full REPS solution deployed across
all institution PCs through web application firewalls, email, URL & Content filters and antivirus, as well as SIEM and DLPs which are becoming a tradition in most
of the banks of Egypt.
How can you see the daily behavior of banking customers towards their banking accounts?
To try to improve their security awareness, especially on how to handle their credentials. You can’t use digital and electronic services in the internet age while you are still not aware till today that your PIN, Password, or OTP Token are simply a secret you should not tell to anyone under any pretext. Many people still give away their passwords & PIN codes willingly! … If there is a law it will protect people from the crime of stealing their credentials but if they willingly disclose their credentials there is no crime in the first place … This is like giving away your money … We can jail those who steal your money or take it against your will but we can’t do so if you give it willingly because there is no crime in this case.
Are there any connections or engagements with your Info. Sec department and EG CERT or any other security agency?
Banks in general are under the authority of the Central Bank of Egypt (CBE) which we need to report to our activity including all incidents we are exposed to in
a way or another. The coordination with EG-CERT has been introduced on policy level at least for internet banking however it goes without saying that we need
generally to improve the communication channels between the various InfoSec teams in banking industry and the information security organizations of the
state whether it is EG-CERT or MOI electronic crime investigation units or else. Banks more than any other sectors in Egypt need security intelligence information
about trends in cyber threats including cyber-terrorism and its evolution such as who is being targeted and how, this is why I believe that what needs to be done is not simply to coordinate with EG-CERT but we need to look at the much bigger image in this context: Just the same way Ministry of Finance (MOF) and CBE govern all
financial activities whether it is performed by financial institutions or else (For example the introduction of money transfers through mobile operators) we need as
well to have a body governing all information security activity whether performed by ICT institutions or else.
Can you tell us about your team? What activities they do and what are needed to join a security team in banks on general?
We are responsible for the information security of the bank; to make it simple we are responsible for the 3 Ps: People, Process and Platforms; starting from the last “P” we engineer, implement and operate information security solutions required for our business, we engineer, document, implement and enforce security policies and procedures and finally improve people (employees included) awareness and security in term of securing their own information. Information Security professionals working in the banking industry have 1 major difference from the rest of their peers; understanding banking services and the security required for the delivery of those services through electronic channels such as automatic teller machines (ATMs) and mobile/internet banking. Other than this we require the usual such as solid networking and systems administrations experience, knowledge of network firewalls, application firewalls, email, URL & content filtering, REPS and authentication technologies.
What is the worst scenario that your team has ever faced?
When you work in banks security i.e. protecting people money and information you get to know that there is no such thing as the worst scenario … all scenarios are “nightmarish!” a viral outbreak has a very different flavor in banks especially when the virus targets data destruction; however our worst nightmare right now in retail for almost most of the banks is staling customers card information using various techniques ranging from phishing and social engineering to skimming; international “organized crime” syndicates are now involved in the illegal trade of stolen customer information – mainly payment cards information – and recently several local as well as international (mainly Asian) gangs where arrested by police upon banks investigations because of implanting skimmers on ATM machines and trafficking payment cards information to buyers in Europe whom may later print the cards using the information received and cash it or use the details over internet.
What are the strategies that your bank follow?
Our strategy can be summarized in “enabling business through security”; you must understand that historically the main service provided by banks is indeed “Security”, before banks started offering loans, interest on deposits, ability to withdraw money anywhere through branches or at any time through ATMs, before all this banks used to offer mainly a secure and safe store for money … “Point Final” as in French! Banks are very old institutions and they existed for hundreds of years for the sole purpose of providing the security service of safeguarding people money i.e. in short without “security” there is no banking and security is what enables banking and our mission and strategy consequently is built around this and how to make our bank services and information assets secure.
How can you see the information security infrastructure in Egypt? How it can affect your security strategy at the bank?
In my point of view the information security infrastructure in Egypt need significant improvement. We need everything starting from laws through a consolidated authority down to identifying critical information assets on the state level and the proper measures and technologies to protect it. I would say we need the minimum of implementing detective controls on Egypt level in order to be able to tell when a sensitive information asset is subject to an attack, you simply can’t leave this to the institution owning this information asset because even if they have their own detective controls, will they inform authorities of the attack they were subjected to?
or they will prefer to hide it especially if the attack is successful, beside knowing is the first step for responding; as an example is there anywhere in the state someone monitoring DDOS attacks on private sector internet banking websites? What if an attack succeeded in breaching a bank security and stealing customer information, how long would it take that bank to inform the state and wouldn’t be better that the state be able to know of the occurrence of such an attack and start alerting other banks probably using the same or similar technology of the victim bank. Ask yourself how much of what we through over internet is protected by the least of a detective and I wont ask for a preventive control and you easily realize most of our information assets are in jeopardy. For banks it is crucial in order to build their own security strategies and policies that the state adopts a strategy and policy for banking information security and pass it to us. The CBE is doing a considerable effort to make this happen however what we have us far from the practice and systems already existing in other countries. To wrap it up, we need an infrastructure of laws, organizations
and technologies that enables Egypt to be information secure, the fact this is not the case now puts a huge burden on banks.
What are the Cybercrime Challenges in Egypt and the Middle East?
There is a very simple rule all security folks know “Where there is no security …. Crime thrives”; this is correct for logical security as much as it is correct for physical security and this is again our biggest challenge. Cyber-crime is flourishing in Egypt, most of Middle-East, Arabic & Islamic worlds simply because we are not applying the simple rule of “Where there is no security .. Crime thrives”! Ask yourself the simple question of do we have a cyber-security organization that fights cyber-crime in Arab and Islamic countries Egypt included? The answer in most cases is simply: “NO” we do not have such an organization which takes us back to the same subject of question 2 where we said we need a consolidated information security authority that is the cyber-security function of the state fighting cyber-crime. This being said all cyber-crimes no matter how silly , simple , small or smart, sophisticated and large they are…They are all huge challenges because you simply have nothing to face it with, if you left a small fire without extinguishing wouldn’t it become a large fire? That’s exactly the situation. Yet I would say it right now our biggest cyber-crime challenge remains “Identity theft”/”phishing”.
From your experience, What are the main problems in Information system in Egypt ? And what is needed to fix those problems ?
The problem is clearly the absence of an authority and laws for information security and to a lesser extent the weakness of the information security infrastructure . The solution is simply to make an authority and laws for information security and to improve its infrastructure.
What are the main characteristics that have to be in an Egyptian law to face the cyber-crime in Egypt?
I believe we must first and before anything agree on what are the rights of people in the cyber domain and then define accordingly , clearly and very specifically what is a “Cyber-crime” We need as well a very clear scoping for the law that makes it very clear in the age the internet when a crime is within the jurisdiction of Egyptian cyber-crime law and finally we need to have a very clear view of what is acceptable legally as digital forensics and who is the authority in charge of carrying investigation and forensic analysis. Needless to mention the law has to be constitutional and does not violate clear statements as article 57″.
للحياة الخاصة حرمة , و هي مصونة لا تمس ز و للمراسلات البريدية و البرقية و الاكترونية و المحادثات الهاتفية و غيرها من و سائل الاتصال حرمة , و سريتها مكفولة و لا تجوز مصادرتها او الاطلاع عليها او مراقبتها الا بامر قضائي مسبب و لمدة محددة و في الاحوال التي يبينها القانون ز كما تلتزم الدولة بحماية حف المواطنين في استخدام وسائل الاتصال العامة بكافة اشكالها , و لا يجوز تعطيلها او وقفها او حرمان الواطنين