Mihai Popa

Hello, everyone, and thank you very much for attending our session. We're very happy to be here back in DOES after a couple of times when we had this opportunity to do it in the past. Unfortunately, this year again, we are not face-to-face, but it is what it is. We hope that next year we'll be able to see each other again in person. We are going to discuss today about cybersecurity during dark times, as it's written on the PowerPoint. And although we all have the impression that the COVID pandemic has passed, we will discuss about some of the challenges that we do see in the cybersecurity area after this COVID pandemic. Of course, alongside with me, I have my two best friends, George and Mihai.

So a short introduction about ourselves. My name is Mihai Popa. I'm the head of Global Consumer Lending Platform in ING. George is the IT Ops Manager for Fraud and Cybersecurity, and Mihai is Engineering Manager for Fraud and Cybersecurity. You might have seen us in the past presentation in DOES for multiple other topics. As I said, we're working for ING. ING is a medium-sized European bank. We are having 6,000 employees and around 10,000 tech people with a market focus on Europe, but you will find our offices around the world. Today, as I said, we will discuss about some of the organizational challenges that we have encountered last year and also this year in the, let's call it, aftermath of COVID.

And we're going to touch two big topics. So those are going to be around the hybrid mode, the new way of working, and the big reset. So two big topics, but I'll detail about a little bit later. I think the most important message is that, of course, there is life after COVID, fortunately. So we see more and more that the COVID pandemic is slowly going down, and people are returning to the office. But this is one of the biggest challenge that we are going to face and that we are facing personally in ING. So how is our life going to look like from now on? Are we going to go back to the office? Are we going to be still in a hybrid mode, and how that hybrid mode looks like?

I think these are questions which are also popping up in your minds, and maybe you're also facing similar challenges. One of the things that have emerged during the pandemic is this great reset that you see here in the picture, pictured by the World Economic Forum. So if you didn't hear about it, it's around that many people have been laid off during the pandemic, and some of them actually decided to not go back to their former jobs. Some of them opened their own businesses. Other did a reconversion to other industries. Other people just took severance packages, and they are just enjoying some holidays or some work around the house. And this actually has a big impact, or had a big impact, in what is happening now in 2022 in the job market because it's actually very difficult to find good employees.

However, even with this big challenge, life has to continue, and we have to keep working. So how do we come back to work, and how are we collaborating, right? It's two of the big questions that it's on everybody's lips because some of us do prefer to work from home. Others are saying, "I'm very happy to go back to work because I can get rid of my kids, and I can focus finally on doing some work." Other people are purely more socially interested, and they want just to hang out with their colleagues and to do some collaborative work in the office. So for the moment, I don't think there is a perfect recipe to that. If you would impose stricter rules or stricter conventions, then that would make some of the people happy.

If you still give freedom to people, you will end up in a situation where some of us are in the office and others are at home, and that would not lead to a perfect collaboration. So we think that all these elements are still to be uncovered, and we have to, during this year, and we all have to test and see what goes for our companies. And this is going to be also a topic for later at the end of this presentation, where we'll go a little bit more into details. With these new challenges, and with this new life, we start to face some new cybersecurity challenges. And with this one, I will let George to talk more about it because we think that we cannot look at this picture so simple by just saying, "Yeah, hybrid mode is a given, and this is how we should work."

We think that there are more to talk about around cybersecurity. So George, welcome, and the floor is yours.

George Proorocu

Thank you, Mihai. So when we're talking about cybersecurity, before COVID started, we were working most of the time from a secure location with occasional work from home for some of us, depending, of course, what different policies each company implemented. But then COVID-19 came, and everything changed, and most of us started working from home all the time. Policies and systems, of course, were adapted to support this change, also in terms of infrastructure and also in terms of security. And what we're experiencing now in 2022 is that we started having a mix of these both worlds, with some slight differences, depending, of course, on which type of hybrid mode each company implemented.

But more concretely, what does this mean for the cybersecurity area, and what are the current threats? And in order to answer this, we will combine our answer with the latest Europol report that was released in December last year. And this report is the Internet Organised Crime Threat Assessment, and Europol is doing it every year. And as we see in the one that was released in December, the past 12 months have been a testament to the fact that exceptional circumstances accelerate the evolution of cybercrime. And we'll focus on the main three key findings. The first one is related to the change in our shopping behavior due to the pandemic, which had a big impact within the European ecosystem.

And the effect was an increase in the number of e-commerce opportunities, and this opened a few doors for the fraudsters. On one hand, some of these crimes were exploiting the side effects of the pandemic, like for example, on the medical products that were in high demand and you couldn't find them, so people were just going through different new e-commerce platforms, for example, and just trying to buy them if they found them in stock or at a good price, and so on. The second was related to the delivery fraud, which kind of emerged as a new criminal focus in the second year of the pandemic. And for example, criminals were doing different things.

They were selling goods that didn't exist. They were trying to exploit different vulnerabilities and to hack online shops with weak security, especially the ones that were at the beginning startups, so they didn't have such a good cybersecurity department, and they were vulnerable to different type of attacks. And they were also using delivery services as phishing to try to make the people access different links and gather different information that will lead to a financial scam. The second key finding, as we saw in 2021, investment fraud emerged as the most dominant type of frauds. And this was due mostly to the fact that during these two years, people didn't spend too much money, so they were looking for good investment opportunities.

And this, mixed with the fact that the price surge of the cryptocurrencies in the early 2021 accelerated this type of scam. And how are the fraudsters operating? Well, they usually create a fake investment website, and they spend a lot of time to try to make it look as legit as possible, often creating, for example, fake reviews and so on, so at the first glance, it will really look like a legit platform. And then they offer also a surreal return of investment opportunity, and they mix this with the lack of knowledge of the victims, and then they try to gain access to their cryptocurrency wallet or to trick them into transferring money or cryptocurrencies to accounts or wallets that are under their control.

And the third finding is the mix of modi operandi, as phishing and social engineering scams developed and increased. And on this, since of course everyone was at home, and also legit services and authorities had to quickly adapt their services to this new way of working, there was an open door that led to increase of telephone vishing and text messages vishing scams. And fraudsters more often combined traditional social engineering attempts with technical components to target especially elderly victims. And this is also due to the increased use of remote access trojans on mobile devices that exploit a lack of, first of all, technical knowledge on the part of the target, with a social engineering scam that, for example, forces them to click on a link or kind of tricks them to install this type of trojan on their mobile device, which, of course, after that leads to full account access, device and account access, and will lead for significant financial harm. Some of these trojans are already adapted for different banking applications in order to partially automate the actions that are taken by the attackers. And now what can we actually do to protect ourselves, and what are we doing at European level in this direction?

One focus for the financial world during the pandemic was to try to educate the customers on how they can protect against scams in order to not rely only on the internal anti-fraud systems. And here I would just underline two very simple rules to follow. First one is that you should never give any type of personal data via phone, email, or SMS. And if you're not really sure that, let's say, the phone call that you received might be a scam or not, just hang up and just call your bank or the service provider that called you, so like that you will make sure that you're talking to the right entity. And second one is that you should never invest your money in an online investment fund unless you're doing a proper research on the platform's domain. Just search if that company is legit and so on. So spend a bit of time before actually investing in some online investment funds.

And if we're looking at European level, there are some ongoing projects to improve the awareness of potential victims of cybercrime, and this includes campaigns on fraud with internet marketing, online investment, and e-commerce frauds. And hopefully, this will help reduce and prevent fraud in the upcoming months. And next would be Mihai that will dive a bit more into the technical side. Mihai?

Mihai Roman

Thank you, George. So we've discussed about the corona impact from two aspects, one on how we work, where we work. George did a brief summary of the threats and the challenges. Now I'm going to extend that topic from a technical perspective. At the base, I'm an engineer, so I like to build functionalities, to build products for my customers, and I want to go with them as soon as possible and as fast as possible towards production, so I can see the benefits of my work in the real life. However, there we have an issue. Security was seen and it's still being seen, different organization or in different teams that it's a roadblock or it's a topic that will slow us down without missing the point that security was always one of the last points before we reach our customers.

I consider it that it's our responsibility from a normal individual contributor till the highest level in any organization. We have to reshape and look at security threats and attacks from a different perspective. So Gartner presented a report for this year where they are trying to just by changing the presentation to shift also the focus and to make, if I can say it, from the bad guys being security engineers to being the good guys and your partners. So in the end, if we have a risk at whatever level or whatever aspect, it's not only the problem of the CISO office, it's not only the problem of the security team, it's our problem. So we have to look at it completely different.

We have risks, we have ways to mitigate them, we have ways to completely remove them, and we need to think and work into that direction. And it's not a one-man job and one size fits all. We need to work together. We're here at this conference and it's sharing our knowledge, our experience with the community. The community is also there to help you when you have an issue. Looking forward to it, there were some interesting points of view shared as well in the same article. We can't have a solution for everything. We can't fix everything at the same moment in time. Mihai mentioned about the great reset. We have a limited capacity. Time is our enemy, so we need to make some priorities.

One of the recommendation would be focus on the quick wins, and by quick wins, it's not something that I can fix in a matter of minutes, but it's the one that brings the most impact. So if we look at the known rule of 80/20 and 20/80, the idea would be that choose three, even up to five items on each category. If I do a risk mitigation, for a risk mitigation, where I should look? If I will have downtime, then I will have impact on my customers, external or internals. If we go in downtime, then again, we may have a reputational loss. So we need to put them all in balance. Some of you may ask or may have a challenge in saying, "Yes, we have to prioritize three, five, even 10 items," but how I choose them?

The only advice that I would be able to give it, do not focus on only one pillar. Priorities needs to be spread over all the three pillars that we see here. We still need to take care of the revenue part. We need to be efficient. Cost, it's one aspect, but also people are another aspect. And then it's the mitigation of the risk. Do I want to kill my services for a longer period so I can have a full solution for something, or I may live with five minutes downtime here and there and still continue. I will focus a bit on the risk mitigation and on what happened quite recently in November 2021. So being an engineering lead, I'm close to the people that are building the software and they are maintaining it.

So I had a hard job to tell them on 27th of November that, "My dear colleagues, we have a big issue." And that was called Log4j. For the ones that are not very familiar, Log4j, it's one of the most used Java libraries for logging systems. So what happened? The community reported a high vulnerability, and there were different aspects of it. You may have impact, you may have less impact. So it was all based on your context and based on your setup. And coming back to community, Log4j, it's an open source library, and the community did an amazing job, not by only exposing the vulnerability, but by also providing the next steps, either by a mitigation action, either by a solution. And then the question was, from our perspective, what we do first?

We go for the mitigation, we go for the solution. So we had situations where mitigation was the only way to go. There are other applications or setups where we really had to go for the full solution. But if we put this into perspective, time it's limited. Engineering capacity is limited. I received an interesting remark. "Yes, we know. We are aware about this issue, but what can we do?" And one of my colleagues shared with me this screenshot. It's about the usage of Log4j in other systems. So he said, "Yes, we are looking at Log4j version two. Yes, we know we have a high vulnerability on it, but it's only used by 6,000 other artifacts." And then we had our colleagues from CISO, which started to play the role of a coach. So they've guided us in the process of fixing everything, either by the final solution or by the mitigation, and kept us updated with all the new changes because it was not one shot which fixed everything.

However, there were a couple of weeks, heavy weeks, and very challenging. And then the same colleague came back to me with another screenshot, which was a surprise. Everybody focused on the version two of Log4j. But then he said, "Okay, but what about version 1.2? It was not reported as being vulnerable or something, but we may have another issue there." And that issue being that this version is end of life, out of support since 2015. And then you are in the position where you are an engineer, you want to go forward faster. You have these kind of situations where you need to take a decision and you need to act fast. And you have the, let's call them still the bad guys, the security guys, which are coming with new issues after new issues. So then it was a task force being created between engineering leads, security engineers or security leads, and we ended up at the conclusion that we need to have a full review of everything that we have. Log4j was behind us, so we had to look forward. There are a lot of open source tools which can provide help in identifying these kind of issues, and we started to make use of them at their full potential.

Making it as a conclusion, don't look at your colleague, whatever his function is, his role it is, as somebody that tries to slow you down. Work together, build a community, and move forward. Move forward because it's in both advantages. It's not if I win, you lose, or the other way around. If we win, we win together. If we lose, we lose together. I will ask Mihai to do the closure and to ask the hard question.

Mihai Popa

So yeah. Thanks, Mihai, for this. I think everybody noticed that we've started talking about Corona, then we walked through a little bit the hybrid mode and then the challenges that happened after the hybrid mode. We talked about Yocto. We talked now about Log4j. And Mihai also talked a lot about the community part. So indeed, we're here to talk about our experiences and all the challenges we have, the challenges that we're having and we're facing, and how are we trying to go around them. But I think mainly we're also looking for help. And here there are two pillars where we would like to open the discussions with you. And those pillars are the new way of working.

We'd like to find out other challenges that might have been faced in cybersecurity or in this new way of working in your company. So, reach out to us and tell us your stories or come up with some ideas around this topic, because we would like to learn also from you. The second point is very linked to what Mihai said about Log4j, the story about Log4j. So it's around how do you combine the new way of working with these critical moments? How do you deal with these situations? Because in the past it was simple. Everybody was in the office, everybody was gathering in a war room, and that was it. But nowadays, as we are still trying to find our ways, that it's not so clear what the processes are and what do you have to do. So we're curious to hear about your stories, as well.

And now, just before the closure, we would like that you go back with three key takeaways, if we can call them like this. First of all, what we have noticed is that there is no one size fits all for this hybrid model. I think internally in ING, we'll still have to experiment and try to find our best approach. And our best approach might not work with you. And this applies also for the cybersecurity responses. So think about that. Whatever we share here with you, it's more for you to learn and to listen, but it might not work in your organization, or it could work perfectly. So keep this in mind. The second one is about running a safe environment.

Mihai insisted a lot about if you're working in a risk department or a CISO department, it's not like you're the policeman who has to come to us to fine us if we're not doing the right thing. It's the responsibility of all of us, including our customers, to have that safe environment. The customers have to report when there is phishing, and us as engineers or engineering leads or people working in the CISO domain, we have to work together to make the environment more safe. And maybe the last one, which I find actually very powerful, and I'd like you to keep this in mind. This is not going to be the last time. It's not going to be the last time when we're going to have a pandemic.

It's not going to be the last time when a situation like Log4j occurs. So try to be prepared or to be adaptable for the future. These things will come up again and again and again. Just because we had the pandemic 100 years ago, it doesn't mean that it didn't appear again, right? So just because we had an issue with Log4j in November, it doesn't mean we're not going to have something similar, let's say, in a year from now. Keep yourself focused and remember that you always have to be as prepared as you can. With all this being said, this was our story. We would like to thank you very much for attending our session and also for paying attention. And now we're opening the floor for discussions and questions. Thank you very much.