On August 6, 2019, the Monetary Authority of Singapore issued a set of legally binding requirements to “raise the cyber security standards and strengthen cyber resilience of the financial sector.” This Notice on Cyber Hygiene took a number of key elements that already existed in the MAS Technology Risk Management (TRM) Guidelines, and put them into law.
Specifically, the Notice stipulates that financial institutions operating in Singapore must now:
- establish and implement robust security for IT systems;
- ensure updates are applied to address system security flaws in a timely manner;
- deploy security devices to restrict unauthorised network traffic;
- implement measures to mitigate the risk of malware infection;
- secure the use of system accounts with special privileges to prevent unauthorised access; and
- strengthen user authentication for critical systems as well as systems used to access customer information.
With Singapore continuing to position itself as a major world financial centre, having a strong cyber security strategy in place is critical. In the words of the Chief Cyber Security Office of MAS, Mr. Tan Yeow Seng, in reference to the Notice on Cyber Hygiene, “Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the Internet. The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats. Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions. These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity.”
FIs operating in Singapore have 12 months, that is until 6th August 2020, to implement these requirements, though there is a grace period of an additional 6 months for certain requirements as long as specified stop-gap measures have been put in place to mitigate the specific risks.
Given the large number of the types of organisation that come under the financial industry umbrella in Singapore, there are actually quite a number of sectors affected and, consequently, quite a number of individual notices have been issued specific to each sector, which includes banks (Notice 655 Cyber Hygiene), insurers and insurance brokers (Notice 132 Cyber Hygiene), credit card and charge card licensees (Notice 655A Cyber Hygiene), finance companies (Notice 834 Cyber Hygiene), trust companies (Notice TCA N06 Cyber Hygiene), and more. While there are a large number of individuals notices issued, from my review of the contents of each one, it would appear that the specific Cyber Hygiene Practices detailed in each notice are the same, and are addressed under the following headings:
- Administrative Accounts
- Security Patches
- Security Standards
- Network Perimeter Defense
- Malware Protection
- Multi-Factor Authentication
NOTE: For more complete information on the MAS Notice on Cyber Hygiene itself, please refer to the MAS Website. The following links may be good starting points:
Notice on Cyber Hygiene and the IBM i community
Now, as I am sure we are all aware, and as I have also discussed on previous blogs (refer here), the IBM i is considered to be a very secure system. Because of this, it is often loses focus while companies place most of their attention on their less secure open systems. Well, with the introduction of the Notice on Cyber Hygiene, perhaps IBM i users need to sit up and address the security and compliance issues surrounding their IBM i a bit more diligently – as the Notice specifically mentions that ALL servers must be addressed.
The IBM i platform does present something of a challenge to security and compliance departments when it comes to addressing the TRM Guidelines and the Notice on Cyber Hygiene. While there is a plethora of vendors and solutions available in the market focused on open platforms and Windows, due to the uniqueness of the platform, generally those solutions are unable to help us meet our IBM i security and compliance objectives. Hence we need help from solutions that are specifically designed for this platform.
Before I continue further, as a quick aside, in writing these blogs I normally try to avoid talking about the specific product names that we carry here at Joule Tech. Please forgive me in this entry, as I am going to make an exception to this “rule” today as, in wanting to affirm in you, the reader, that there are solutions available specifically for the IBM i, it is unavoidable to address the specific Practices of the Notice of Cyber Hygiene and how to address them on the IBM i platform, without mentioning product names.
With that in mind, the following table addresses how the Powertech solutions, from our partner HelpSystems, addresses each of these Practices.
Notice on Cyber Hygiene Practices & How Joule Tech Can Help
Monetary Authority of Singapore Notice on Cyber Hygiene Practices
4.1 Administrative Accounts: A relevant entity must ensure that every administrative account in respect of any operating system, database, application, security appliance or network device, is secured to prevent any unauthorised access to or use of such account.
How Joule Tech Can Help
The Powertech solutions provide the ability to secure ALL users on the IBM i, including the ability to ensure the relevant access controls, and authentication, for administrative accounts are in place. In addition to this, event tracking, activity logging, and audit trails can be put in place for such users, even to the level of collecting screen shots of their activities if so desired. The software can also perform automated compliance checks to audit the ongoing security settings of administrative accounts (and all users) against predefined conditions – to ensure that the security levels are maintained and abnormalities monitored for.
Powertech governs privileged user access and determines what activities they can perform. Additionally, if certain users need to be assigned elevated access rights for stipulated periods of time, the software is able to enable this in an appropriately controlled and audited manner.
4.2 Security Patches:
(a) A relevant entity must ensure that security patches are applied to address vulnerabilities to every system, and apply such security patches within a timeframe that is commensurate with the risks posed by each vulnerability.
(b) Where no security patch is available to address a vulnerability, the relevant entity must ensure that controls are instituted to reduce any risk posed by such vulnerability to such a system.
How Joule Tech Can Help
This is one Practice that organisations will likely have to perform manually.
4.3 Security Standards:
(a) A relevant entity must ensure that there is a written set of security standards for every system.
(b) Subject to sub-paragraph (c), a relevant entity must ensure that every system conforms to the set of security standards.
(c) Where the system is unable to conform to the set of security standards, the relevant entity must ensure that controls are instituted to reduce any risk posed by such non-conformity.
How Joule Tech Can Help
The Powertech solutions can support the Part (b) section of this Practice. The standards, or security policy, defined in Part (a) can be applied to the compliance monitor software, which can then be run on a scheduled or adhoc basis to keep the security and compliance teams appraised of the conformity and non-conformity to the standards. The severity of each non-compliance is prioritised (and colour coded), making the task of attending to each problem more efficient.
4.4 Network Perimeter Defense: A relevant entity must implement controls at its network perimeter to restrict all unauthorised network traffic.
How Joule Tech Can Help
PowerTech is capable of monitoring 30 exit points for IBM i and provides real time event monitoring in Security Information and Event Management (SIEM) and Intrusion Detection (IDS).
4.5 Malware protection: A relevant entity must ensure that one or more malware protection measures are implemented on every system, to mitigate the risk of malware infection, where such malware protection measures are available and can be implemented.
How Joule Tech Can Help
Viruses on the IBM i, you may ask? This is an area that needs to be addressed, and is most effectively performed with a solution running on the specific platform itself. PowerTech’s anti-virus solution is the only product available that is able to deploy as native anti-virus software on IBM i. It will also work on AIX and Linux, thus covering all bases on the IBM Power servers.
4.6 Multi-factor Authentication: Subject to paragraph 4.7, a relevant entity must ensure that multi-factor authentication is implemented for the following:
(a) all administrative accounts in respect of any operating system, database, application, security appliance or network device that is a critical system; and
(b) all accounts on any system used by the relevant entity to access customer information through the internet.
How Joule Tech Can Help
NOTE: The Notice allows for a 6 month extension for the implementation of this Practice (through to 5 February 2021), as long as a number of stipulated conditions are followed. Refer to the Notice for more details.
The Powertech solutions provide IBM i organisations with a number of options in order to meet this multi-factor authentication requirement. One is to run a standalone MFA system entirely on the IBM i server itself – this approach does not require integration with any additional party MFA vendor. Alternatively, if a company is already operating 3rd party vendor solutions (such as RSA SecurID) then an IBM i agent can be used to integrate with such a solution.
I talk in greater detail about MFA in a separate recent blog, and on this webpage.
Would You Like To Know More?
Please note that this blog is intended only to provide you with a high level overview of the Notice on Cyber Hygiene and some of the ways that the solutions which Joule Tech carries can go toward helping to address them. If you are interested in learning more, please complete the form below or Contact Us here.