Question

On the 26th July 2019, National Australia Bank (NAB) which is the 4th largest bank in Australia, contacted approximately 13,000 customers to advise that some personal information provided when their account was set up was uploaded, without authorisation, to the servers of two data service companies. NAB’s security teams have contacted the companies, who advise that all information provided to them is deleted within two hours. NAB Chief Data Officer, Glenda Crisp, said the compromised data included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number. “We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility,” she said. “The issue was human error and in breach of NAB’s data security policies.” Ms Crisp said it was not a cyber-security issue. No NAB log-in details or passwords have been compromised – and NAB’s systems remain secure. Page | 3 Asia Pacific International College Pty Ltd. Trading as Asia Pacific International College 55 Regent Street, Chippendale, Sydney 2008: 02-9318 8111 PRV12007; CRICOS 03048D Approved: 13/02/2019, Version 1 “Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected.” NAB called, emailed or written to each impacted customer individually. A dedicated, specialist support team was in place, available to them 24/7. If government identification documents need to be reissued, NAB would cover the cost. NAB would also cover the cost of independent, enhanced fraud detection identification services for affected customers. Importantly there is no evidence to indicate that any of the information has been copied or further disclosed. NAB is advising impacted customers that they do not need to take any action with their account. “We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity. We will continue to monitor 24/7 to protect our customers’ accounts,” Ms Crisp said. NAB also notified and was working with industry regulators, including the Office of the Australian Information Commissioner. Ms Crisp said: “We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again.” On further development, NAB CEO admitted that it is difficult to invest huge amount of money in information security compared to the industry leaders like Microsoft, Google, Amazon. His opinion was to leverage on the infrastructure created by these companies i.e. through cloud computing

1.Overview of the addressed problem

2.Describe common security issues that an auditor needs to investigate

3.Describe NAB’s response to the data breach.

4.Propose information security measures NAB should adopt.

5.Describe the role of cloud computing in information security.

Answer 1

Here main issue is the data has been deleted from the data base of the the 4th largest bank of Australia.
Without the Authorisation of the data server they are now uploading this data after asking around 13k customers about the lost data information.
Main questions of concern:
1. What is the guarantee that only this data has been deleted ?
2. Where there no backs of the data ?
3. What if the the some people who have accessed the database, do it again and delete the data ?
4. What if someone already has access to data base from a long time they have been stealing this data and this was mere mistake from stealers side
5. What if their user id and passwords are hacked ?
6.Why didn't the bank took Security check up?
7. Did the company set an external Auditor and investigating committee to solve the issue and reach to conclusion how did this happen

1. Check if it a software glitch, manual error or Theft. If you hide the information from your clients you would be in much bigger problem like legal issues.
2. Check all the vulnerabilities in the data base
3. Why to start setting up cloud services and keep at least 2-3 servers where back data is stored
4. Involve business unit managers early.
5. Make sure auditors rely on experience, not just checklists.
6. Insist that the auditor's report reflects your organization's risks.
7. Black Box Audits
8. Surprice Inspections
9. take Auditors Hackathon by internal Coders and Software Engineers
10. The risk of service interruption, such as a DoS attack.

NABs response was slightly positive but not corrective action has been ensured by them. No announcement of investigation committee. They said they know the reason, once they said this was a human error, then what action are they taking on the person nothing was disclosed

Cloud computing and storage provides users with capabilities to store and process their data in third-party data centers. Organizations use the cloud in a variety of different service models (with acronyms such as SaaS, PaaS, and IaaS) and deployment models (private, public, hybrid, and community). It is generally recommended that information security controls be selected and implemented according and in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; Gartner named seven while the Cloud Security Alliance identified twelve areas of concern. Cloud access security brokers (CASBs) are software that sits between cloud users and cloud applications to provide visibility into cloud application usage, data protection and governance to monitor all activity and enforce security policies.

The polices of cloud are prone to securities threat as well

In order to conserve resources, cut costs, and maintain efficiency, cloud service providers often store more than one customer's data on the same server. As a result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation.[2]

The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking.