CHIRANSHU AHUJA Sr. Security Analyst Sr. Security Analyst Sr. Security Analyst Sr. Security Analyst Data Security Council of India Data Security Council of India Data Security Council of India Data Security Council of India Location Location Location Location – – – Sanchar Sanchar Sanchar Sanchar Bhawan Bhawan Bhawan Bhawan, New Delhi , New Delhi , New Delhi , New Delhi Date Date Date Date – – – 22/01/2014 22/01/2014 22/01/2014 22/01/2014
34
Embed
Cyber Security - Issues Related to Financial Transactionsntiprit.gov.in/courses/cyber22jan14/3_Financial.pdf · › Strengthen the security controls of the websites, applications
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CHIRANSHU AHUJA
Sr. Security AnalystSr. Security AnalystSr. Security AnalystSr. Security AnalystData Security Council of IndiaData Security Council of IndiaData Security Council of IndiaData Security Council of India
Location Location Location Location –––– Sanchar Sanchar Sanchar Sanchar BhawanBhawanBhawanBhawan, New Delhi, New Delhi, New Delhi, New Delhi
Date Date Date Date –––– 22/01/201422/01/201422/01/201422/01/2014
Cyber SecurityIssues Related to Financial Transactions
A NASSCOM®
Initiative
Cyber Security is widely recognised as a challenge for
Online adults who have experienced cybercrime experienced cybercrime experienced cybercrime experienced cybercrime in their lifetime
A NASSCOM®
Initiative
WHAT WE DO KNOW
TRANSACTIONS ARE A PRIME TARGET.
COMPANIES’ SYSTEMS HAVE BEEN
HACKED OR COMPROMISED
A NASSCOM®
Initiative
WHAT WE DO KNOW
THE ACT OF MOVING FUNDS PRESENTS A
RISK OF INTERCEPTION
A NASSCOM®
Initiative
TOP CYBERCRIMES
0% 10% 20% 30% 40% 50% 60% 70%
Computer Malware
Online Scams
Phishing
Overall
A NASSCOM®
Initiative
CYBER THREATS
A NASSCOM®
Initiative
PHISHING
Usually an email with a malware-infected attachment or hyperlink, is sent to one or a small group of specific individuals at the target organisation.
It is method of online identity theft. In addition to stealing personal and financial data, phishers can infect computers with viruses and convince people to participate unwittingly in money laundering.
A NASSCOM®
Initiative
PHISHING ATTACK
In 2012-2013, 37.3 million users were subjected to phishing attacks.
Up 87%From 2011-2012
Source: Kaspersky Lab Report
A NASSCOM®
Initiative
PHISHING ATTACK
A NASSCOM®
Initiative
PHISHING ATTACK EXAMPLE
A NASSCOM®
Initiative
AVOIDING PHISHING ATTACK
› Be suspiciousBe suspiciousBe suspiciousBe suspicious of any email with urgent requests for personal financial information.
› Don't use the links Don't use the links Don't use the links Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle
› Avoid filling out formsAvoid filling out formsAvoid filling out formsAvoid filling out forms in email messages that ask for personal financial information
› Always ensure that you're using a secure website secure website secure website secure website when submitting credit card or other sensitive information via your Web browser
› Have an upupupup----totototo----datedatedatedate security software suite installed.
A NASSCOM®
Initiative
RECOMMENDATIONS FOR ORGANISATION
› Educating Customers, EmployeesEducating Customers, EmployeesEducating Customers, EmployeesEducating Customers, Employees on ID Theft, Phishing and eCrime
› Provide platform to Customers platform to Customers platform to Customers platform to Customers to verify and report any suspicious emails.
› Keep websites certificates up to date.certificates up to date.certificates up to date.certificates up to date.
› Consider to register domain names register domain names register domain names register domain names that are similar to the one that is currently used by the organisation.
› Strengthen the security controls security controls security controls security controls of the websites, applications and email systems of the organisation.
› Perform simulated attacks simulated attacks simulated attacks simulated attacks on staff to gauge their readiness to external social engineering attacks such as phishing.
Preventive Measures
A NASSCOM®
Initiative
RECOMMENDATIONS FOR ORGANISATION
› Monitor the Internet for fraudulent variations Internet for fraudulent variations Internet for fraudulent variations Internet for fraudulent variations of your organisation's name, trademark, seal or website address.
› Monitor the websites of your organisation websites of your organisation websites of your organisation websites of your organisation for any suspicious activities.
› Identify and notify management of any reports of reports of reports of reports of suspicious activities suspicious activities suspicious activities suspicious activities on websites or phishing emails.
Detective Measures
A NASSCOM®
Initiative
RECOMMENDATIONS FOR ORGANISATION
› Issue alerts to the usersalerts to the usersalerts to the usersalerts to the users, through press releases, website or postal emails about the fraudulent website.
› Report phishing sites to CERTCERTCERTCERT----In In In In
› Advise users, who suspect to be defraudedsuspect to be defraudedsuspect to be defraudedsuspect to be defrauded, to change their passwords immediately and to contact the organisation
› Issue alerts to staff, administrators or service alerts to staff, administrators or service alerts to staff, administrators or service alerts to staff, administrators or service providersprovidersprovidersproviders of the website of the organisation to strengthen security measures
Responsive Measures
A NASSCOM®
Initiative
Identity Theft
› Accessing sensitive information on Financial websites require Authentication
› The information generally is susceptible to compromise
› Various attack techniques persist to compromise the authentication information
A NASSCOM®
Initiative
Attack
A NASSCOM®
Initiative
Solutions
› The use of 2 Factor Authentication 2 Factor Authentication 2 Factor Authentication 2 Factor Authentication lowers risk and the potential for unscrupulous behaviour. It minimises the potential of identity theft.
› Using Enforced TLS Enforced TLS Enforced TLS Enforced TLS one can be sure that data will be encrypted before it is sent across the Internet, and therefore will not be read by anyone except the intended merchant.
A NASSCOM®
Initiative
MALWARE
Malware is extremely bad news from a security and privacy perspective.
Malware may be capable of stealing account details and passwords, reading the documents on a computer and hiding itself from other programs.
Malware is even capable of using your computer's microphone, webcam, or other peripherals against you.
A NASSCOM®
Initiative
MALWARE IN FINANCIAL SECTOR
200,000new infections
From July to September
2013
Source: TrendMicro
A NASSCOM®
Initiative
MALWARE – Infection Method
Spam EmailsSpam EmailsSpam EmailsSpam EmailsAttempts to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.
DriveDriveDriveDrive----by by by by downloadsdownloadsdownloadsdownloadsWhen an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.
A NASSCOM®
Initiative
MALWARE – Drive-by Download
A NASSCOM®
Initiative
MALWARE – ZeuS(Banking Trojan)
› ZeuS has primarily been designed to steal confidential information from the computers it compromises.
› It specifically targets system information, online credentials, and banking details.
› Additionally it contacts a command-and-control (C&C) server and makes itself available to perform additional functions.
Other examples include Carberp, Citadel, SpyEye.
A NASSCOM®
Initiative
MALWARE – Prevention and Avoidance
› Users should use caution when clicking links in emails.
› Users are advised to ensure that their OS, antivirus and firewall software is up to date.
› Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.
A NASSCOM®
Initiative
MALWARE – Organisation’s Role
› Implementation of Technical toolsTechnical toolsTechnical toolsTechnical tools may include corporate-class antivirus and antispyware software that is installed not just on workstations, but also file and mail servers.
› It is imperative to have Procedural solutions Procedural solutions Procedural solutions Procedural solutions to the malware threat in place to protect your organization.
› Ensuring that organisation has each system with updatedupdatedupdatedupdated OS, antivirus and firewall.
A NASSCOM®
Initiative
RBI Recommendations› Access to information assets needs to be authorised by a bank only where a
valid business need exists and only for the specific time period that the access is required.
› Information security needs to be considered at all stages of an information asset’s life-cycle like planning, design, acquisition and implementation, maintenance and disposal.
› It is acknowledged that the human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness programme.
› All application systems need to be tested before implementation in a robust manner regarding controls to ensure that they satisfy business policies/rules of the bank and regulatory and legal prescriptions/requirements.
A NASSCOM®
Initiative
RBI Recommendations› Banks need to carry out due diligence with regard to new technologies since they
can potentially introduce additional risk exposures.
› Normally, a minimum of 128-bit SSL encryption is expected. Constant advances in computer hardware, cryptanalysis and distributed brute force techniques may induce use of larger key lengths periodically.
› Banks need to define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.
› Banks can also consider incorporating DoS attack considerations in their ISP selection process. An incident response framework should be devised and validated periodically to facilitate fast response to a DDoS onslaught or an imminent attack.
A NASSCOM®
Initiative
RBI Recommendations› Banks should ensure that vulnerability scanning is performed in an authenticated
mode at least quarterly.
› Typical controls to protect against malicious code use layered combinations of technology, policies and procedures and training.
› A Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising.
› Protection against growing cyber threats requires multiple layers of defenses, known as defense in depth. As every organization is different, this strategy should therefore be based on a balance between protection, capability, cost, performance, and operational considerations. Defense in depth for most organizations should at least consider the following two areas:
(a) Protecting the enclave boundaries or perimeter
(b) Protecting the computing environment.
A NASSCOM®
Initiative
THE COST OF CYBER APATHY
GLOBALLY 41%GLOBALLY 41%GLOBALLY 41%GLOBALLY 41%DO NOT HAVE AN
UP-TO-DATE SECURITY
SOFTWARE SUITE
TO PROTECT THEIR PERSONAL INFORMATION
ONLINESource: Norton Cyber Crime Report
A NASSCOM®
Initiative
Common Safety Tips
› Use Up-To-Date Security Software Suite
› Insert firewalls, pop-up blockers
› Maintain Backups
› Use Secure Connection
› Open Attachments carefully
› Use strong passwords, don’t give personal information unless required