OCBC Bank Service Outage: The ImplicationsLack of Good Monitoring Apparently Led to Problems
The recent case in which Singapore's OCBC bank suffered a few hours of outage because of an apparent lack of proper monitoring could lead to bigger security issues unless the management and security team of the bank take appropriate steps.
"A software failure in the backup unit for the core banking system resulted in the storage in the core banking system to reach its maximum capacity. The software failure signal was unfortunately not detected for rectification due to a human oversight," said Samuel Tsien, the bank's CEO, in a statement to the media.
At a time when attackers are waiting to take advantage of any opportunity, this security blunder is a cause of concern.
The software discrepancy in this case shows that developers need to keep security in mind - an aspect which often gets ignored.
"Given that software today is never perfectly or robustly written, anything can happen," says Anthony Lim, principal consultant at Fortinet. "The sad part is organizations continue to ignore this issue in order to roll out products faster," he says (see: ATM Security Software Found to Have Serious Vulnerability).
Another critical issue is the lack of experienced staff with software development expertise. "Software development staff are often inexperienced in secure coding practices," Lim says. "Also, security is often not the priority as much as the speed and other features of a software."
Unfortunately, some organizations still believe in the notion that incorporating security earlier in the development cycle will delay quick rollout of innovative new applications. But they fail to realize that when they speed up development by skipping security steps, they risk harming the reputation of the organization in the long run when security issues arise (see: DevSecOps: The Keys to Success).
Now that the bank acknowledged that a software failure led to the outage, the CISO must ensure there is a proper secure software development process or framework in place.
"Software security can't be ignored for too long," Lim says.
Lack of Monitoring
Monitoring IT systems and data is one of the important aspects of any critical infrastructure. OCBC should take immediate steps to investigate the root cause to the problem.
"It seems for OCBC, this [monitoring] process has not been implemented in an effective manner, as it's not an oversight of one to two days which will lead to such issue where the CBS storage capacity gets full," says Sandeep Arora, co-founder and CEO at CyberImmersions Solutions, which provides training, education and consulting in cybersecurity, cyber law and privacy.
The bank also apparently lacked adequate business continuity readiness.
"Given their storage got full, it shows they have not planned well for contingency with adequate storage available," Arora says. "Also, to take four hours to fix a storage issue is too long."
The bank needs to carry out a comprehensive IT resilience check for all its critical hardware and software components, including identifying all areas/components of the single point of failure, Arora suggests. "This will help minimize SPOF risks, and the ones which cannot be eliminated must be well-documented and accepted as a business risk," he says.