Cyber Security - Issues Related to Financial Transactionsntiprit.gov.in/courses/cyber22jan14/3_Financial.pdf · › Strengthen the security controls of the websites, applications

CHIRANSHU AHUJA

Sr. Security AnalystSr. Security AnalystSr. Security AnalystSr. Security AnalystData Security Council of IndiaData Security Council of IndiaData Security Council of IndiaData Security Council of India

Location Location Location Location –––– Sanchar Sanchar Sanchar Sanchar BhawanBhawanBhawanBhawan, New Delhi, New Delhi, New Delhi, New Delhi

Date Date Date Date –––– 22/01/201422/01/201422/01/201422/01/2014

Cyber SecurityIssues Related to Financial Transactions

A NASSCOM®

Initiative

Cyber Security is widely recognised as a challenge for

governments and businesses alike.

Source: IBM Data Breach Statistics

A NASSCOM®

Initiative

$388BILLION

SCALE OF CYBERCRIME

THE TOTAL BILL FOR CYBERCRIME FOOTED

BY CYBERCRIMINALS

Source: Norton Cyber Crime Report

A NASSCOM®

Initiative

$7.6BILLION

THE COST OF CYBER APATHY

TOTAL NETCOST OF

CYBERCRIMESource: Norton Cyber Crime Report

INDIA

15 DAYS/VICTIM15 DAYS/VICTIM15 DAYS/VICTIM15 DAYS/VICTIM

CASH COSTS$4 BN$4 BN$4 BN$4 BN

TIME COSTS$3.6 BN$3.6 BN$3.6 BN$3.6 BN

A NASSCOM®

Initiative

80%

CYBERCRIME EXPERIENCES - INDIA

Source: Norton Cyber Crime Report

Online adults who have experienced cybercrime experienced cybercrime experienced cybercrime experienced cybercrime in their lifetime

A NASSCOM®

Initiative

WHAT WE DO KNOW

TRANSACTIONS ARE A PRIME TARGET.

COMPANIES’ SYSTEMS HAVE BEEN

HACKED OR COMPROMISED

A NASSCOM®

Initiative

WHAT WE DO KNOW

THE ACT OF MOVING FUNDS PRESENTS A

RISK OF INTERCEPTION

A NASSCOM®

Initiative

TOP CYBERCRIMES

0% 10% 20% 30% 40% 50% 60% 70%

Computer Malware

Online Scams

Phishing

Overall

A NASSCOM®

Initiative

CYBER THREATS

A NASSCOM®

Initiative

PHISHING

Usually an email with a malware-infected attachment or hyperlink, is sent to one or a small group of specific individuals at the target organisation.

It is method of online identity theft. In addition to stealing personal and financial data, phishers can infect computers with viruses and convince people to participate unwittingly in money laundering.

A NASSCOM®

Initiative

PHISHING ATTACK

In 2012-2013, 37.3 million users were subjected to phishing attacks.

Up 87%From 2011-2012

Source: Kaspersky Lab Report

A NASSCOM®

Initiative

PHISHING ATTACK

A NASSCOM®

Initiative

PHISHING ATTACK EXAMPLE

A NASSCOM®

Initiative

AVOIDING PHISHING ATTACK

› Be suspiciousBe suspiciousBe suspiciousBe suspicious of any email with urgent requests for personal financial information.

› Don't use the links Don't use the links Don't use the links Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle

› Avoid filling out formsAvoid filling out formsAvoid filling out formsAvoid filling out forms in email messages that ask for personal financial information

› Always ensure that you're using a secure website secure website secure website secure website when submitting credit card or other sensitive information via your Web browser

› Have an upupupup----totototo----datedatedatedate security software suite installed.

A NASSCOM®

Initiative

RECOMMENDATIONS FOR ORGANISATION

› Educating Customers, EmployeesEducating Customers, EmployeesEducating Customers, EmployeesEducating Customers, Employees on ID Theft, Phishing and eCrime

› Provide platform to Customers platform to Customers platform to Customers platform to Customers to verify and report any suspicious emails.

› Keep websites certificates up to date.certificates up to date.certificates up to date.certificates up to date.

› Consider to register domain names register domain names register domain names register domain names that are similar to the one that is currently used by the organisation.

› Strengthen the security controls security controls security controls security controls of the websites, applications and email systems of the organisation.

› Perform simulated attacks simulated attacks simulated attacks simulated attacks on staff to gauge their readiness to external social engineering attacks such as phishing.

Preventive Measures

A NASSCOM®

Initiative

RECOMMENDATIONS FOR ORGANISATION

› Monitor the Internet for fraudulent variations Internet for fraudulent variations Internet for fraudulent variations Internet for fraudulent variations of your organisation's name, trademark, seal or website address.

› Monitor the websites of your organisation websites of your organisation websites of your organisation websites of your organisation for any suspicious activities.

› Identify and notify management of any reports of reports of reports of reports of suspicious activities suspicious activities suspicious activities suspicious activities on websites or phishing emails.

Detective Measures

A NASSCOM®

Initiative

RECOMMENDATIONS FOR ORGANISATION

› Issue alerts to the usersalerts to the usersalerts to the usersalerts to the users, through press releases, website or postal emails about the fraudulent website.

› Report phishing sites to CERTCERTCERTCERT----In In In In

› Advise users, who suspect to be defraudedsuspect to be defraudedsuspect to be defraudedsuspect to be defrauded, to change their passwords immediately and to contact the organisation

› Issue alerts to staff, administrators or service alerts to staff, administrators or service alerts to staff, administrators or service alerts to staff, administrators or service providersprovidersprovidersproviders of the website of the organisation to strengthen security measures

Responsive Measures

A NASSCOM®

Initiative

Identity Theft

› Accessing sensitive information on Financial websites require Authentication

› The information generally is susceptible to compromise

› Various attack techniques persist to compromise the authentication information

A NASSCOM®

Initiative

Attack

A NASSCOM®

Initiative

Solutions

› The use of 2 Factor Authentication 2 Factor Authentication 2 Factor Authentication 2 Factor Authentication lowers risk and the potential for unscrupulous behaviour. It minimises the potential of identity theft.

› Using Enforced TLS Enforced TLS Enforced TLS Enforced TLS one can be sure that data will be encrypted before it is sent across the Internet, and therefore will not be read by anyone except the intended merchant.

A NASSCOM®

Initiative

MALWARE

Malware is extremely bad news from a security and privacy perspective.

Malware may be capable of stealing account details and passwords, reading the documents on a computer and hiding itself from other programs.

Malware is even capable of using your computer's microphone, webcam, or other peripherals against you.

A NASSCOM®

Initiative

MALWARE IN FINANCIAL SECTOR

200,000new infections

From July to September

2013

Source: TrendMicro

A NASSCOM®

Initiative

MALWARE – Infection Method

Spam EmailsSpam EmailsSpam EmailsSpam EmailsAttempts to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.

DriveDriveDriveDrive----by by by by downloadsdownloadsdownloadsdownloadsWhen an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.

A NASSCOM®

Initiative

MALWARE – Drive-by Download

A NASSCOM®

Initiative

MALWARE – ZeuS(Banking Trojan)

› ZeuS has primarily been designed to steal confidential information from the computers it compromises.

› It specifically targets system information, online credentials, and banking details.

› Additionally it contacts a command-and-control (C&C) server and makes itself available to perform additional functions.

Other examples include Carberp, Citadel, SpyEye.

A NASSCOM®

Initiative

MALWARE – Prevention and Avoidance

› Users should use caution when clicking links in emails.

› Users are advised to ensure that their OS, antivirus and firewall software is up to date.

› Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

A NASSCOM®

Initiative

MALWARE – Organisation’s Role

› Implementation of Technical toolsTechnical toolsTechnical toolsTechnical tools may include corporate-class antivirus and antispyware software that is installed not just on workstations, but also file and mail servers.

› It is imperative to have Procedural solutions Procedural solutions Procedural solutions Procedural solutions to the malware threat in place to protect your organization.

› Ensuring that organisation has each system with updatedupdatedupdatedupdated OS, antivirus and firewall.

A NASSCOM®

Initiative

RBI Recommendations› Access to information assets needs to be authorised by a bank only where a

valid business need exists and only for the specific time period that the access is required.

› Information security needs to be considered at all stages of an information asset’s life-cycle like planning, design, acquisition and implementation, maintenance and disposal.

› It is acknowledged that the human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness programme.

› All application systems need to be tested before implementation in a robust manner regarding controls to ensure that they satisfy business policies/rules of the bank and regulatory and legal prescriptions/requirements.

A NASSCOM®

Initiative

RBI Recommendations› Banks need to carry out due diligence with regard to new technologies since they

can potentially introduce additional risk exposures.

› Normally, a minimum of 128-bit SSL encryption is expected. Constant advances in computer hardware, cryptanalysis and distributed brute force techniques may induce use of larger key lengths periodically.

› Banks need to define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

› Banks can also consider incorporating DoS attack considerations in their ISP selection process. An incident response framework should be devised and validated periodically to facilitate fast response to a DDoS onslaught or an imminent attack.

A NASSCOM®

Initiative

RBI Recommendations› Banks should ensure that vulnerability scanning is performed in an authenticated

mode at least quarterly.

› Typical controls to protect against malicious code use layered combinations of technology, policies and procedures and training.

› A Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising.

› Protection against growing cyber threats requires multiple layers of defenses, known as defense in depth. As every organization is different, this strategy should therefore be based on a balance between protection, capability, cost, performance, and operational considerations. Defense in depth for most organizations should at least consider the following two areas:

(a) Protecting the enclave boundaries or perimeter

(b) Protecting the computing environment.

A NASSCOM®

Initiative

THE COST OF CYBER APATHY

GLOBALLY 41%GLOBALLY 41%GLOBALLY 41%GLOBALLY 41%DO NOT HAVE AN

UP-TO-DATE SECURITY

SOFTWARE SUITE

TO PROTECT THEIR PERSONAL INFORMATION

ONLINESource: Norton Cyber Crime Report

A NASSCOM®

Initiative

Common Safety Tips

› Use Up-To-Date Security Software Suite

› Insert firewalls, pop-up blockers

› Maintain Backups

› Use Secure Connection

› Open Attachments carefully

› Use strong passwords, don’t give personal information unless required

THANK

YOU