1

FIRST UNION BANK

REPORT Yogesh Kumar

The world has changed over the last few years, especially within banking. Its processes – from retail transactions to market operations – have been transformed by technology and continue to evolve. Northeastern University ITC6320

2

Best practices in security are reactionary and outdated. It’s time for a new approach. In this webcast,

we will show you how the threat landscape is evolving and how to adapt your security strategy to new types of attacks.

Abandon the idea that security success requires 100% prevention. We’re in a post-prevention era, where it is no longer enough to prevent attacks—you need a fast, focused response to a breach. The challenge is to define a border around data that is accessed from anywhere, when users can access the Internet from anywhere. The cyberwar plan” published in the National Journal in 2009: “in the months before the U.S. invasion of Iraq in March 2003, military planners considered a computerized attack to disable the networks that controlled Iraq’s banking system, but they backed off when they realized that those networks were global and connected to banks in France.” A cyber attack could contribute to, or trigger, the financial collapse of a nation, or even a group of connected nations.

Between the 1880s and the

1930s, physical bank burglaries

were a substantial problem. To

counter these threats bank’s

employed vaults to protect their

contents from theft,

unauthorized use, fire, natural

disasters, and other threats.

During the 1950s,

researchers at the

Stanford Research

Institute invented

“ERMA”, the Electronic

Recording Method of

Accounting computer

processing system.

3

Attackers activity and motivation

Targeting bank systems directly to modify, delete and steak data.

Criminal Capabilities: Network intrusion, hackers-for-hire, insiders (Witting and unwitting)

Common actors: State-sponsored, criminals, hacktivists. The targeted intrusion into a bank’s

systems is often perceived as the

greatest threat due to the malicious

actor’s ability to not only steal

data but modify or delete it. By

exploiting software, hardware or

human vulnerabilities hackers can

gain administrative control of

networks which, if abused, could

cause catastrophic consequences. If

published, network security breaches

can affect share prices, cause

irreparable reputational damage and

impact on the stability of the wider

financial market.

Targeting disruption of

access to bank network

systems and services.

Criminal Capabilities: Denial of service, ransom ware

Common actors: State-sponsored, criminals, hacktivists. Denial of Service (DoS) attacks are

increasing in scale and

effectiveness. Over the last 12-

months cyber actors have

increasingly utilized open domain

name servers to amplify their

attacks. A high-profile example of

this in 2013 was against Spamhaus,

which resulted in the largest

recorded DoS attack, reaching over

300 gigabytes per second (the

average being approximately 3).

The large scale harvesting of personal and business data to commit

fraud.

Key criminal capabilities: financial trojans, man-in-the-middle attacks, botnets,

exploit kits, spam, social engineering.

Common actors: Criminals, Terrorist (financing).

Financially motivated crime groups are a growing threat to banks. The growth in the “as-a-

service” nature of the marketplace is fuelling an increase in the number of traditional crime

groups and individuals drawn into cyber offending.

4

The three main categories of malicious actors

involved in cyber-attacks.

5

70% cases studied (the insiders

exploited or attempt to exploit, systemic

vulnerabilities in applications and

process.

61% cases the insiders exploited

vulnerabilities inherent in the

hardware, software or network design.

91% of all the surveyed

organization experienced

financial loss as a result of insider

attack.

26% cases involved the use of someone

else's computer account, physical use of unsecured terminal or social

engineering.

Report “ Insider Threat Study: Illicit Cyber Activity in the Banking and Finance sector” (2004)

Instead of comprehensively and systematically addressing known vulnerabilities, many banks have been content to live with an “acceptable” degree of operating losses. Most banks hedged their bets with insurance and limited countermeasures, many pursuing various approaches to shift liability, and the costs to implement security controls, to others.

6

Reasons for Inadequate Bank Security Policy:

Inappropriate passwords and responding to social engineering

Internet and e-mail policy limitations

Responding to virues and other malware.

Inappropriate usage of systems including the servers, computers and external media devices.

Inappropriate physical security measures to ensure the protection of facilities, assets and personnel.

7

References:

http://securityaffairs.co/wordpress/9346/cyber-crime/who-is-attacking-the-financial-world-and-why.html

http://www.ft.com/cms/s/0/9de4a842-2ef6-11e4-a054-00144feabdc0.html#axzz3PUdSWHiN https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf

Unofficial Floppies, CDs or Flash

Drives should not be used on office systems. Floppy should be write-protected if data is to be transferred from floppy to system.

Keep the system screen saver enabled with password protection. Do not share or disclose your password. User should not have easily detectable passwords for Network access, screen saver etc. Change password at regular intervals.

Backup should be maintained regularly on the space provided on central server of the department or on the storage media as per department policy. Keep the DATs or other removable media in a secure location away from the Computer. For sensitive and important data offsite backup should be used.

Implementations for Security:

Keep portable equipment

secure. Report any loss of data or accessories to the System Administrator. Install UPS system with adequate battery backups to avoid any data loss or corruption due to power failure.

All file level security depends

upon the file system. Only the most secure file system should be chosen for the server. Then user permission for individual files, folders, drives should be set. Avoid creating junk files and folders.

Users are not supposed to do

his or her personal work on computers. Do not install or copy software on system without permission of System administrator.

8

Challenges for Kerberos Authentication System

Biggest lose: assumption of secure time system, and resolution of synchronization required.

Password guessing: no authentication is required to request a ticket, hence attacker can gather equivalent of /etc/password by requesting many tickets.

Not a host-to-host protocol Chosen plaintext: in CBC, prefix of an

encryption is encryption of a prefix, so attacker can disassemble messages and use just part of a message.

Changes

We could fix Kerberos by challenge-response protocol during authentication handshake. Could be fixed by D-H key exchange.

We can go with other protocols like SSL, TLS, SSH, IPsec etc. Stop using iPad for few days till the time issue is not resolved. Implement that secured protocol that will be safe for mobile

applications too.

RECOMMENDATIONS

Eliminate unnecessary data; keep tabs on what’s left. Consider using the built-in security features that are provided with your Internet

browser instead of disabling them. Always log out of the banking online site or application completely. Use a current Internet browser with 128-bit encryption that supports secure and

private transactions. If your computer is on a wireless network (home or public), ensure that the

router settings are secure, (encrypted). Using scanning devices, individuals can intercept unencrypted signals and view or obtain your information.

It is recommended that clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive.

Use caution when downloading files, installing software, or opening email attachments from unverified or unknown sources. Many of these files contain spyware or key-logging programs that can send information back to a malicious site.

Download apps only from trusted store and/or markets.

9

To protect the bank from security breaches, you should adopt internal controls and guidelines

like the following:

Protect your machines. Place limits and controls on who has access to your computer systems.

Make sure your organization’s computers are running the latest operating system and versions

of software, web browser, and anti-virus protection. Check that your anti-virus software is up-

to-date and updated automatically.

Keep your computers up-to-date with security fixes by turning on Automatic Updates, and make

sure you reboot when prompted. Filter websites and use a good firewall with intrusion

prevention. And don’t do your banking from a computer that is used to surf the web – limit which

computers can be used to perform online banking.

Protect your password. Never give it to anyone and don’t write it down. Use a secure password

manager if you need help keeping track of many passwords.

Teach your employees to be cautious and suspicious, and never take e-mail at face value –

especially if it seems urgent or contains threats. These may be phishing attempts designed to

trick people into opening a malicious link or attachment. They should know to always check any

suspicious or unexpected communications by calling, e-mailing, or going to a website directly

instead of clicking any links.

Let us help you limit fraud. Use fraud protection services such as Positive Pay for checks issued

and ACH Monitoring Service, including debit and credit blocks for unauthorized ACH entries to

your account. Also, use payment templates to prevent unauthorized modifications, and ensure

that your payment limits reflect your typical transaction amounts.

10

References:

http://securityaffairs.co/wordpress/9346/cyber-crime/who-is-attacking-the-financial-world-and-why.html

http://www.ft.com/cms/s/0/9de4a842-2ef6-11e4-a054-00144feabdc0.html#axzz3PUdSWHiN https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf https://nuonline.neu.edu/bbcswebdav/pid-7976074-dt-content-rid-10637542_1/courses/ITC6320.20495.201525/ITC6320.20495.201525_ImportedContent_20141221085908/ITC6320.81180.201435_ImportedContent_20140325044529/ES_data-breach-investigations-report-2013_Excutive%20summary.pdf http://www.eecs.berkeley.edu/~fox/summaries/glomop/kerb_limit.html https://www.fremontbank.com/about/business-online-security/security-recommendations