first union bank report
TRANSCRIPT
1
FIRST UNION BANK
REPORT Yogesh Kumar
The world has changed over the last few years, especially within banking. Its processes – from retail transactions to market operations – have been transformed by technology and continue to evolve. Northeastern University ITC6320
2
Best practices in security are reactionary and outdated. It’s time for a new approach. In this webcast,
we will show you how the threat landscape is evolving and how to adapt your security strategy to new types of attacks.
Abandon the idea that security success requires 100% prevention. We’re in a post-prevention era, where it is no longer enough to prevent attacks—you need a fast, focused response to a breach. The challenge is to define a border around data that is accessed from anywhere, when users can access the Internet from anywhere. The cyberwar plan” published in the National Journal in 2009: “in the months before the U.S. invasion of Iraq in March 2003, military planners considered a computerized attack to disable the networks that controlled Iraq’s banking system, but they backed off when they realized that those networks were global and connected to banks in France.” A cyber attack could contribute to, or trigger, the financial collapse of a nation, or even a group of connected nations.
Between the 1880s and the
1930s, physical bank burglaries
were a substantial problem. To
counter these threats bank’s
employed vaults to protect their
contents from theft,
unauthorized use, fire, natural
disasters, and other threats.
During the 1950s,
researchers at the
Stanford Research
Institute invented
“ERMA”, the Electronic
Recording Method of
Accounting computer
processing system.
3
Attackers activity and motivation
Targeting bank systems directly to modify, delete and steak data.
Criminal Capabilities: Network intrusion, hackers-for-hire, insiders (Witting and unwitting)
Common actors: State-sponsored, criminals, hacktivists. The targeted intrusion into a bank’s
systems is often perceived as the
greatest threat due to the malicious
actor’s ability to not only steal
data but modify or delete it. By
exploiting software, hardware or
human vulnerabilities hackers can
gain administrative control of
networks which, if abused, could
cause catastrophic consequences. If
published, network security breaches
can affect share prices, cause
irreparable reputational damage and
impact on the stability of the wider
financial market.
Targeting disruption of
access to bank network
systems and services.
Criminal Capabilities: Denial of service, ransom ware
Common actors: State-sponsored, criminals, hacktivists. Denial of Service (DoS) attacks are
increasing in scale and
effectiveness. Over the last 12-
months cyber actors have
increasingly utilized open domain
name servers to amplify their
attacks. A high-profile example of
this in 2013 was against Spamhaus,
which resulted in the largest
recorded DoS attack, reaching over
300 gigabytes per second (the
average being approximately 3).
The large scale harvesting of personal and business data to commit
fraud.
Key criminal capabilities: financial trojans, man-in-the-middle attacks, botnets,
exploit kits, spam, social engineering.
Common actors: Criminals, Terrorist (financing).
Financially motivated crime groups are a growing threat to banks. The growth in the “as-a-
service” nature of the marketplace is fuelling an increase in the number of traditional crime
groups and individuals drawn into cyber offending.
4
The three main categories of malicious actors
involved in cyber-attacks.
5
70% cases studied (the insiders
exploited or attempt to exploit, systemic
vulnerabilities in applications and
process.
61% cases the insiders exploited
vulnerabilities inherent in the
hardware, software or network design.
91% of all the surveyed
organization experienced
financial loss as a result of insider
attack.
26% cases involved the use of someone
else's computer account, physical use of unsecured terminal or social
engineering.
Report “ Insider Threat Study: Illicit Cyber Activity in the Banking and Finance sector” (2004)
Instead of comprehensively and systematically addressing known vulnerabilities, many banks have been content to live with an “acceptable” degree of operating losses. Most banks hedged their bets with insurance and limited countermeasures, many pursuing various approaches to shift liability, and the costs to implement security controls, to others.
6
Reasons for Inadequate Bank Security Policy:
Inappropriate passwords and responding to social engineering
Internet and e-mail policy limitations
Responding to virues and other malware.
Inappropriate usage of systems including the servers, computers and external media devices.
Inappropriate physical security measures to ensure the protection of facilities, assets and personnel.
7
References:
http://securityaffairs.co/wordpress/9346/cyber-crime/who-is-attacking-the-financial-world-and-why.html
http://www.ft.com/cms/s/0/9de4a842-2ef6-11e4-a054-00144feabdc0.html#axzz3PUdSWHiN https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf
Unofficial Floppies, CDs or Flash
Drives should not be used on office systems. Floppy should be write-protected if data is to be transferred from floppy to system.
Keep the system screen saver enabled with password protection. Do not share or disclose your password. User should not have easily detectable passwords for Network access, screen saver etc. Change password at regular intervals.
Backup should be maintained regularly on the space provided on central server of the department or on the storage media as per department policy. Keep the DATs or other removable media in a secure location away from the Computer. For sensitive and important data offsite backup should be used.
Implementations for Security:
Keep portable equipment
secure. Report any loss of data or accessories to the System Administrator. Install UPS system with adequate battery backups to avoid any data loss or corruption due to power failure.
All file level security depends
upon the file system. Only the most secure file system should be chosen for the server. Then user permission for individual files, folders, drives should be set. Avoid creating junk files and folders.
Users are not supposed to do
his or her personal work on computers. Do not install or copy software on system without permission of System administrator.
8
Challenges for Kerberos Authentication System
Biggest lose: assumption of secure time system, and resolution of synchronization required.
Password guessing: no authentication is required to request a ticket, hence attacker can gather equivalent of /etc/password by requesting many tickets.
Not a host-to-host protocol Chosen plaintext: in CBC, prefix of an
encryption is encryption of a prefix, so attacker can disassemble messages and use just part of a message.
Changes
We could fix Kerberos by challenge-response protocol during authentication handshake. Could be fixed by D-H key exchange.
We can go with other protocols like SSL, TLS, SSH, IPsec etc. Stop using iPad for few days till the time issue is not resolved. Implement that secured protocol that will be safe for mobile
applications too.
RECOMMENDATIONS
Eliminate unnecessary data; keep tabs on what’s left. Consider using the built-in security features that are provided with your Internet
browser instead of disabling them. Always log out of the banking online site or application completely. Use a current Internet browser with 128-bit encryption that supports secure and
private transactions. If your computer is on a wireless network (home or public), ensure that the
router settings are secure, (encrypted). Using scanning devices, individuals can intercept unencrypted signals and view or obtain your information.
It is recommended that clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive.
Use caution when downloading files, installing software, or opening email attachments from unverified or unknown sources. Many of these files contain spyware or key-logging programs that can send information back to a malicious site.
Download apps only from trusted store and/or markets.
9
To protect the bank from security breaches, you should adopt internal controls and guidelines
like the following:
Protect your machines. Place limits and controls on who has access to your computer systems.
Make sure your organization’s computers are running the latest operating system and versions
of software, web browser, and anti-virus protection. Check that your anti-virus software is up-
to-date and updated automatically.
Keep your computers up-to-date with security fixes by turning on Automatic Updates, and make
sure you reboot when prompted. Filter websites and use a good firewall with intrusion
prevention. And don’t do your banking from a computer that is used to surf the web – limit which
computers can be used to perform online banking.
Protect your password. Never give it to anyone and don’t write it down. Use a secure password
manager if you need help keeping track of many passwords.
Teach your employees to be cautious and suspicious, and never take e-mail at face value –
especially if it seems urgent or contains threats. These may be phishing attempts designed to
trick people into opening a malicious link or attachment. They should know to always check any
suspicious or unexpected communications by calling, e-mailing, or going to a website directly
instead of clicking any links.
Let us help you limit fraud. Use fraud protection services such as Positive Pay for checks issued
and ACH Monitoring Service, including debit and credit blocks for unauthorized ACH entries to
your account. Also, use payment templates to prevent unauthorized modifications, and ensure
that your payment limits reflect your typical transaction amounts.
10
References:
http://securityaffairs.co/wordpress/9346/cyber-crime/who-is-attacking-the-financial-world-and-why.html
http://www.ft.com/cms/s/0/9de4a842-2ef6-11e4-a054-00144feabdc0.html#axzz3PUdSWHiN https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.pdf https://nuonline.neu.edu/bbcswebdav/pid-7976074-dt-content-rid-10637542_1/courses/ITC6320.20495.201525/ITC6320.20495.201525_ImportedContent_20141221085908/ITC6320.81180.201435_ImportedContent_20140325044529/ES_data-breach-investigations-report-2013_Excutive%20summary.pdf http://www.eecs.berkeley.edu/~fox/summaries/glomop/kerb_limit.html https://www.fremontbank.com/about/business-online-security/security-recommendations