This action might not be possible to undo. Are you sure you want to continue?
Rohit K. Agrawal MS in Information Systems Management Ferris State University, 2011 BS in Engineering, India, 2008
Advisor: Dr. James H. Jones, Jr. Assistant Professor Accounting, Finance, and Information Systems Department
MISM 799 - Spring 2011 Ferris State University Big Rapids, MI
This is dedicated to my Parents, Mr. Anoop K. Agrawal and Mrs. Nisha Agrawal, for their unconditional love, patience and understanding. I would also like to thank my teachers and friends for their extreme support and guidance.
1. I would like to thank Dr. James Jones, Information Systems Management (ISM) professor at Ferris State University, for his Valuable advice and constructive approach and feedback and his continuous encouragement that enabled me to complete this project on time.
2. Information provided in this research paper is entirely based on data obtained and compiled from various reference material (textbooks, Articles and documents from World Wide Web)
TABLE OF CONTENTS Dedication Acknowledgements List of Tables List of Figures Abstract CHAPTERS Chapter 1 Introduction Purpose Research Points Glossary of Terms Financial Institution Bank of America Citibank Chapter 2 Information Security Standards Need for Online Banking Security Standards Overview of Information Security Standards Information Security Standards Data Security standards for payment card industry Information Security Regulations Summary 4 2 3 6 6 7 8 8 8 9 14 17 21 23 23 24 27 30 32 35 .
Chapter 3 Online Security Breaches Introduction Threat Categories The Threat Environment Anatomy of an Incident Chapter 4 Security Best Practices Computer Security Best Practices E-commerce Security Best Practices Role of Authentication in an Internet Banking Environment Authentication Techniques. Processes. and Methodologies Chapter 5 Consequences of poor Online Security What Should You Do to Address the Problem? Determine What Not To Do Various Delivery models Conclusion and Recommendation References 36 36 36 39 43 45 45 46 49 51 56 60 61 63 67 69 5 .
........................... Evolution of Threat.... ......…24 LIST OF TABLES Table Page 1................... Source for Security breaches……………………………………………………42 6 .........LIST OF FIGURES Figure Page 1..........................
Agrawal M. James H. This research paper is a requirement for MISM 799 ―Integrated Capstone Project‖ course. This research paper contains description about the security breaches and their impact on various organizations. Chapter 4: This chapter gives information on security best practices. 7 . Jones.ABSTRACT BEST PRACTICES FOR ONLINE BANKING SECURITY Rohit K. Jr. 2011 Advisor: Dr. The objective of this research paper is to provide the reader an introductory knowledge and awareness of the information security standards in financial institutions and their offered services. Chapter 5: This chapter shows the consequences of poor online security in financial institutions.S. Chapter 3: This chapter contains information on online security breaches. This paper is divided into five chapters namely: Chapter 1: This chapter briefly traces the offered services by financial institutions. a spring 2011 class at Ferris State University Master of Science in Information systems Management Program. It also explains the role of authentication and security best practices in these institutions. Chapter 2: This chapter explores the various information security standards. ISM Ferris State University.
Research points Within the confines of the paper requirements. the ensuing pages will focus on: Financial Institutions and their offered services Information Security Standards Online Security breaches and their causes Types of Security breaches Security Best practices Role of Authentication Consequences of poor online security 8 . electronic commerce or any financial institution.CHAPTER 1 INTRODUCTION Purpose The purpose of this paper is to provide the reader an introductory exploration of the current trends and best practices in the online banking security on the internet. Please note that this paper is not intended to offer a comprehensive analysis of any covered areas of Internet.
The payment gateway receives an AVS response code and then either accepts or declines the transaction according to your configured settings. The payment gateway receives the card code verification response code from the customer‘s bank and either accepts or declines the transaction according to your configured settings. or espionage to protect its assets‖ Card Code Verification (CCV) A customer‘s card code is a three. Since the card code should only be 9 .‖ Bank: It is a financial organization where people keep their money. Banking Security: ―Safety of organization against criminal activity such as terrorism. or following the full number on the front of the card. theft. Similar to AVS. Anti-virus ―Software that detects. AVS compares the billing address information provided by the customer with the billing address on file at the customer‘s credit card issuer. repairs. Card Code Verification (CCV) compares the customer‘s card code with the card code on file at the credit card issuer.Glossary to Terms Address Verification Service The Address Verification Service (AVS) is a security system designed to combat one of the most common forms of online credit card fraud. or removes virus-infected files from a computer. cleans.or four-digit security code printed on a credit card‘s signature panel in reverse italics.
the corporate executive responsible for the operations of the firm. these additional numbers provide an extra measure of security against unauthorized credit card transactions.org/glossary. allowing the device to use smaller and more efficient chips that consume less energy than standard computers. may appoint other managers and executives. (http://www.wordnetweb.databasedir. CEO: Chief executive officer. (www. reports to a board of directors.princeton.com) 10 .known to the person in possession of the physical credit card.html) Cyber Space: All of the data stored in a large computer or network representedas a threedimensional model through which a virtual-reality user can move (World English Dictionary) Database A systematized collection of data that can be accessedimmediately and manipulated by a data-processing system for a specific purpose Database Warehouse: A Data Warehouse is a compilation of information/data prearranged so that it can effortlessly use for querying and data analysis.edu/perl/webwn) Cloud Computing: A new generation of computing that utilizes distant servers for data storage and management. (http://www.financenewmexico.
E-Commerce is about making transactions online through selling and buying of products and services. Intranet: It is a computer network a computer network with restricted access. E-Commerce: E-commerce is a part of E-business. Firewall: A part of a computer system or network that is designed to block unauthorized access while permitting outward communication Hackers: Hackers are enthusiastic and skillful computer programmer or user. He can use his skills for to gain unauthorized access to data or for protecting the data.Direct Deposit: It is electronic transfer of a payment directly from the account of the payer to the recipient's account. as within a company. E-Business: This term is coined for the company that has an online presence. Internet: The Internet is a global system of interconnected computer networks that use the standard Internet Protocol Suite (TCP/IP). 11 . It involves all business function. that uses software and protocols developed for the internet.
Security: It is state of being secure or can also be said as safety from risks. threats etc. horoscope. songs. Spyware Spyware are the computer software designed specially to gather information about user browsing habits and sends information secretly to an individual or company that uses this data for marketing or other purposes. entertainment etc. Web Portal: It is junction for all the information on one place.com) Transaction A. 12 .dictionary. which presents information from varied sources in one place.) Business Computing: The act of obtaining and paying for an item or service B.) General Computing: The transmission and processing of an item of data. email. It is a short name for malicious software. weather forecast.Java: Java is a programming language especially applicable to theWorld Wide Web Malware: It is a computer program which protects the user computer or system from unwanted hazardous software by removing the viruses. Threat ―A person or thing that is regarded as dangerous or likely to inflict pain or misery‖ (WWW. A web portal offers information like news. It is also known as Links page. danger.
World Wide Web (WWW): WWW is collection of several internet servers which work to support Hypertext documents and files. 13 . These servers also use hypertext to organize. present and offer services throughout the internet. connect.
loans.mapsofworld. such as deposits.e.Financial Institutions and Their Offered Services Financial Institution: There are many web definitions for the term Financial Institution. A Financial institutes are also responsible for collecting funds from the public and places them in financial assets. rather than tangible property. The one more frequently found and relevant is obtained from Investorswords. The financial institutions are generally regulated by the financial laws of government authority.com ―Financial institution is an institution that provides financial services to its clients or members.‖ BYU: Marriot School mentioned in their intermediate lessons and discussions that ―There are two major types of financial institutions: banks (i. non-deposit-type financial institutions). deposit-type financial institutions) and nonbanks (i.e.com. ―Financial institutions are the firms that provide financial services and advices to its clients. The choice of which institution you use depends on which institution will serve your needs the best and help you achieve your goals the fastest.‖ As mentioned on the Finance.‖ Various types of Financial Institutes are as follows: Commercial Banks Credit Unions Stock brokerage firms Asset management firms 14 .. and bonds..
―Credit Union banks offer higher rates on savings accounts and lower rates on loans because they are not driven to provide a profit to shareholders.mapsofworld.‖ The stock brokerage firms are the other types of financial institutions that help both the corporations and individuals to invest in the stock market. The services provided by the 15 . The credit union is co-operative financial institution which is also known as Deposit Type Financial Institute. For example. they generally do not offer the highest interest rates on deposits or the lowest interest rates on loans. however. mortgages. the services offered by the commercial banks are insurance services. loans and credit cards. Insurance Companies Finance Companies Building Societies Retailers The services provided by the various types of financial institutions may vary from one institution to another.com. ―Commercial Banks compete by offering the widest variety of services. is usually controlled by the members of the union. As mentioned by BYU: Marriot School. The major difference between the credit unions and banks is that the credit unions are owned by the members having accounts in it. Here is explanation of some other financial institutions types as mentioned on finance. As mentioned in the BYU: Marriot School intermediate lessons.‖ BYU: Marriot School also mentioned that Commercial Banks are also known as Deposit Type Financial Institute.
They are as follows: Are you looking for low costs. loans. buying or selling service of the real estates. They might need any kind of service from these institutes like loan. The prime functionality of these firms is to manage various securities and assets to meet the financial goals of the investors. mortgages.‖ Before indulging with any kind of services or Institutes BYU have mentioned certain question which are relevant and every user must consider. credit cards. insurance. anyone or all of these can be customers to these financial institutions. or working capital for a small business? How important is safety for your deposits? 16 . mortgages. [C] The insurance companies offer . The firms also offer fund management advice and decisions to the corporations and individuals. mortgage.insurance services. ―Choosing a financial institution is a challenge. BYU: Marriot School mentioned in their intermediate lessons on web that. We must always try to accomplish our goals and then seek to consider what these financial institutes can provide. are different and they are insurance. and high returns on deposits? What services are important to you? Do you need loans. [C] Large organizations.brokerage firms. small firms or and individual family or a person. mortgages. securities. money market and check writing. loans. low fees. Before dealing with any of these financial institutes every customers ask certain questions to themselves or they have certain requirements or needs which these Financial Institutes must fulfill. on the other hand. securities. [C] Another type of financial institution is the asset management firms. credit cards and check writing. bonds etc.
for $4 billion. In his article Barlas (2011) mentioned that ―Bank of America has spent the past few years growing by acquisition. then your choices are much broader. know that this factor limits the types of institutions you can choose. Do you require government insurance? If so. Demir (2011) in his article ―Lending Options Offered by America's Largest Residential Mortgage Bank‖ mentioned that Bank of America is America‘s largest residential mortgage bank. Other monster acquisitions include the $50 billion deal for FleetBoston in 2004 and the $35 billion purchase of MBNA in 2006. by buying LaSalle Bank for $21 billion in 2007 and acquiring Countrywide Financial.‖ 17 . for example. He also mentioned a short history about the foundation. Security (All forms) Here are the services offered by Bank of America and Citibank along with additional information about them. Bank of America Company Overview: Barlas. Acquisitions of other banks were very beneficial for Bank of America. the company most closely associated with the housing decline of 2007. which brought millions of credit card customers over to Bank of America. What services does the financial institution provide? If all you require is a high return on your cash management assets.
Here is the timeline for the various acquisitions and mergers in the bank which is retrieved from Finance.mapsofworld.com:
In the year 2004, Bank of America acquired National Processing Company, which was engaged in processing of VISA and MasterCard Transactions.
In the same year of 2004, Bank of America made an acquisition deal with FleetBoston Financial. This acquisition helped Bank of America to gain market share in the north-eastern part of USA.
In 2005, Bank of America declared that it was going to make an acquisition deal with MBNA. After getting the approval of Federal Reserve Board, the acquisition finally took place in January, 2006. This acquisition helped Bank of America to get a strong foothold in the credit card market of USA.
In the year 2006, Bank of America declared that it would buy out The United States trust Company and the deal was finally executed in January, 2007.
In 2007, Bank of America made a historic acquisition deal by acquiring LaSalle Bank Corporation, LaSalle Corporate Finance and ABN Amro North America.
Recently, in January 2008, Bank of America has made an announcement that they are going to buy Countrywide Financial.
Services offered by Bank of America (BofA): One of the Webpage of Realestatezing.com [D] mentions that ―Among the financial institutions, Bank of America is the largest in the world that serves individual consumer as well as large corporations. Wide variety of investing, banking, financial and risk 18
management and asset management services are provided by the Bank of America. On the whole the bank provides the facility of Checking, Savings, Mortgages, Auto and Student Loans, Retirement Services, Online Banking, Insurance, Business Banking, Credit Cards, Investments, Global Corporate Credit, Capital Raising, Cash Management, Trade Services. Along with this, Bank of America services can be categorized in the following categories:
Personal Banking Small Business Banking Corporate and Institutional Banking
Services in Personal Banking:
Credit Cards Mortgage Auto Loans Personal Loans Insurance Investment Services Online Banking IRAs are the investment schemes that comes under retirement plans Home Equity Retirement
Realestatezing.com also mentioned that ―Bank of America Global Consumer and Small Business Banking is the largest department of BofA. This also includes ATMs in other 19
countries through the Global ATM Alliance.‖ Small Business Banking has the following services:
Business Checking and Savings Healthcare Practice Loans Credit Cards Online Banking Services Automotive, dealer and marine services Health insurance Trade services
Bank of America also helps the small business to start, grow and flourish. Along with this the finances are also handled by the Bank of America. In the sector of Corporate and Institutional the following services are provided:
Asset Management Card Solutions Electronic Trading Services Mergers and Acquisitions advisory Private Equity Investments Trade Services Endorsed Programs
small businesses as well as to investors. with many Citi brands within those divisions serving customers internationally. According to company‘s profile as mentioned on Data Monitor (July. and other subsidiaries of Citigroup. ATMs and Internet. [E] As per UBPR report on Citibank (mgt. and offers basic banking accounts. Citibank provides a wide gamut of banking. credit cards. the consumer banking division of the leading financial services firm Citigroup.Citibank Company Overview: Citibank. The bank also delivers a complete range of banking products and financial services to meet the needs of corporations and governmental institutions. and investment services to consumers and small businesses.unm. each containing one or more Citi brands: banking. 2004). lending.unm. Each division serves individual and corporate customers. With branch locations and subsidiaries in over 100 countries. is the 3rd largest retail bank in the US based on deposits. Citibank offers the following products and services: 21 . The firm also sells products from its parent company.mgt.edu). lines and loans.edu). (http://www. Citibank Financial Center consists of a large network of local offices which are complemented by electronic delivery systems. and planning. Citibank is split into five divisions. Services offered by Citibank Citibank is the commercial banking arm of Citigroup. investment and lending services to individuals. investing. Citibank is headquartered in New York.
Inc. Banking services Credit cards Mortgages Loans Investments Planning/Retirement solutions Insurance Small business services Corporate/Institutional services: Asset management Government services Business Insurance Private banking The following companies are the major competitors of Citibank: Bank of America Corporation Deutsche Bank AG Federal Reserve Bank of New York Franklin Resources. HSBC Holdings JP Morgan Chase & Co 22 .
however.CHAPTER 2 INFORMATION SECURITY STANDARDS Need for Online banking Security Standards: As mentioned in the document by Easy solutions (2009). In the end. Its sophistication has increased on par with the new security technologies adopted by the bank industry intended to mitigate the problem. 23 . these home banking platforms are web-based applications that are exposed over the Internet making their users a very appealing target for mal-intentioned individuals. ―Electronic banking platforms have been implemented as an ever more efficient channel through which banking transactions can be done without having to leave the house or office. The following graph shows the evolution of the security problem affecting the e-banking platform over the last years.‖ The following graph shows the evolution of the security problem affecting the ebanking platforms over the last years. The evolution history of these attacks began more than 7 years ago initiating what quickly became known as phishing.
easysol. server hacking and data leakage. and the best security practices are adopted.net/newweb/images/stories/downloads/Best_security_practices_onlin e_banking. such as defacement of websites. (HKSAR. Retrieved from: http://www. 2008) While information security plays an important role in protecting the data and assets of an organization. As no single formula can guarantee 100% security.Image 1: Evolution of Threat. we often hear news about security incidents. there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained. resources are used efficiently.pdf Overview of Information Security Standards: Information security plays an important role in protecting the assets of an organization. Organization‘s need to be fully aware of the 24 .
are regulated. BS7799:1. or maintaining information security management systems. such as banking. and by adhering to them banks can go a long way toward satisfying regulatory compliance requirements. Information security is defined 25 . standards and in some cases. resources are used in the right way. 2008) Miller. BS7799. they have little to say about what constitutes effective information security or how to achieve it. which for many years served as the authority for information security. Some industries. To address the situation. the International Standards Organization has developed two standards that do precisely that. The standards are both derived from a British standard. Fortunately.com. a number of governments and organizations have set up benchmarks. and information security must become a top concern in both government and business. implementing. and the guidelines or best practices put together as part of those regulations often become a de facto standard among members of these industries. while BS7799:2 became ISO 27001. ―these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management. together provide a set of best practices and a certification standard for information security. became ISO 17799. BS7799 came in two parts. ISO 17799 provides best practice recommendations for initiating. legal regulations on information security to help ensure an adequate level of security is maintained. part one. and the best security practices are adopted.need to devote more resources to the protection of information assets. (HKSAR. Andrew (2006). ISO 17799 and ISO 27001. The two standards. said in his article retrieved from bankinforsecurity.
maintaining. Now the international standard can be used for certification. and compliance. business continuity management. security policy. ISO 17799 is expected to 26 . physical and environmental security.within the standard as the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access). information systems acquisition. ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Previously. information security incident management. Each organization is expected to perform an information security risk assessment prior to implementing controls. asset management. ISO 27001. specifies requirements for establishing. Within each section. access control. For each control. The second standard. integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required). and improving an information security management system consistent with the best practices outlined in ISO 17799. communications and operations management. implementing. organization of information security. The standard contains 12 sections: risk assessment and treatment. information security control objectives are specified and a range of controls are outlined that are generally regarded as best practices. human resources security. implementation guidance is provided. development and maintenance.
is a nongovernmental international body that collaborates with the International Electro technical Commission (IEC) and the International Telecommunication Union (ITU) on information and communications technology (ICT) standards. As mentioned in the document from HKSAR (2008). 2006) Information Security Standards: The International Organization for Standardization (ISO). which promotes security awareness. (Miller Andrew. and is intended as a common basis and practical 27 .be renamed ISO 27002 in 2007. here are the commonly adopted standards and regulations for information security which have been accepted in United States: 1. one that was originally laid down by the British Standards Institute (BSI).Information Security Management Metrics and Measurement . In the works is ISO 27004 . established in 1947. Independent assessment brings rigor and formality to the implementation process. implying improvements to information security and associated risk reduction. ISO/IEC 27002:2005 refers to a code of practice for information security management.‖ Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security. and requires management approval. ISO/IEC 27002:2005 (Code of Practice for Information Security Management) ISO/IEC 27002:2005 (replaced ISO/IEC 17799:2005 in April 2007) is an international standard that originated from the BS7799-1.currently in draft mode. Certification against ISO 27001 brings a number of benefits.
This standard contains guidelines and best practices recommendations for these 10 security domains: (a) security policy. development and maintenance. (c) asset management. reviewing. maintaining and improving a documented Information Security Management System (ISMS) within an organization. operating.guideline for developing organizational security standards and effective management practices. integrity and availability. implementing. (b) organization of information security. Among these 10 security domains. (f) communications and operations management. and (k) compliance. (h) information systems acquisition. (e) physical and environmental security. ISO/IEC 27001:2005 (Information Security Management System .Requirements) The international standard ISO/IEC 27001:2005 has its roots in the technical content derived from BSI standard BS7799 Part 2:2002. (d) human resources security. It specifies the requirements for establishing. This standard is usually applicable to all types of organizations. (i) information security incident management. and so on. [HKSAR. monitoring. (j) business continuity management. (g) access control. including business enterprises. 2008] 2. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets9. a total of 39 control objectives and hundreds of bestpractice information security control measures are recommended for organization have to satisfy the control objectives and protect information assets against threats to confidentiality. The standard introduces a cyclic model known as the ―Plan-Do-Check-Act‖ (PDCA) model 28 . government agencies.
validate. ISO/IEC 15408-2:2005 (security functional requirements) and ISO/IEC 15408-3:2005 (security assurance requirements). ISO/IEC 15408 (Evaluation Criteria for IT Security) The international standard ISO/IEC 15408 is commonly known as the ―Common Criteria‖ (CC). and certify the security assurance of a technology product against a number of factors. [HKSAR. ISO/IEC 27001 defines the requirements for ISMS. and uses ISO/IEC 27002 to outline the most suitable information security controls within the ISMS. 2008] 3. The PDCA cycle has these four phases: a) ―Plan‖ phase – establishing the ISMS b) ―Do‖ phase – implementing and operating the ISMS c) ―Check‖ phase – monitoring and reviewing the ISMS d) ―Act‖ phase – maintaining and improving the ISMS Often. monitor and improve the effectiveness of an organization‘s ISMS. 2008] 29 . It consists of three parts: ISO/IEC 15408-1:2005 (introduction and general model). [HKSAR. ISO/IEC 27002 is a code of practice that provides suggested controls that an organization can adopt to address information security risks.that aims to establish. ISO/IEC 27001:2005 is implemented together with ISO/IEC 27002:2005. such as the security functional requirements specified in the standards. implement. This standard helps evaluate.
A list of accredited laboratories as well as a list of evaluated products can be found on the Common Criteria portal13.Formally verified. Discover Financial Services. MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security.Methodically tested and checked. EAL3 .Hardware and software can be evaluated against CC requirements in accredited testing laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system can attain. policies. The Payment Card Industry (PCI) and Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express.Semi-formally verified. Build and Maintain a Secure Network 2. JCB. There are 7 EALs: EAL1 . 2008. The list of products validated in the USA can be found on web-site of the Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS).Methodically designed. which include security management. and EAL7 . procedures. designed and tested. EAL2 . Protect Cardholder Data 30 . EAL4 . EAL6 . network architecture. 2008] Data Security Standard for payment Card Industry As per information retrieved from HKSAR. These requirements are organized into the following areas: 1.Structurally tested. designed and tested. The standard consists of 12 core requirements.Functionally tested.Semi-formally designed and tested. [HKSAR. software design and other critical measures. tested and reviewed. EAL5 .
Maintain a Vulnerability Management Program 4. and focuses on the service processes of IT and considers the central role of the user. Implement Strong Access Control Measures 5. which is an international standard within ITSM. and the latest update is version 4.3. technical issues and business risks. The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995.1. 31 . [HKSAR. COBIT is increasingly accepted internationally as a set of guidance materials for IT governance that allows managers to bridge the gap between control requirements. Since 2005. It was developed by the United Kingdom's Office of Government Commerce (OGC). Based on COBIT 4. Maintain an Information Security Policy COBIT The Control Objectives for Information and related Technology (COBIT) is ―a control framework that links IT initiatives to business requirements.1. 2008] ITIL (OR ISO/IEC 20000 SERIES) The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM). the COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large organizations. identifies the major IT resources to be leveraged and defines the management control objectives to be considered‖. Regularly Monitor and Test Networks 6. published in 2007. organizes IT activities into a generally accepted process model. ITIL has evolved into ISO/IEC 20000.
HIPAA. (b) Financial Management. we briefly discuss the US regulations SOX. 32 . (f) Service Desk. (j) Change Management. certain regulated businesses. COSO. and for other purposes‖. [HKSAR. such as banking. This regulation affects all companies listed on stock exchanges in the US. IT controls would need to be assessed to see if they fully satisfy this SOX requirement. the Sarbanes-Oxley Act of 2002 (SOX) was enacted as legislation in 2002. including Enron and WorldCom. (e) Availability Management. (d) Service Continuity Management. The self-assessment questionnaire helps evaluate the following management areas: (a) Service Level Management. 2008] SOX After a number of high profile business scandals in the US.An ITIL service management self-assessment can be conducted with the help of an online questionnaire maintained on the website of the IT Service Management Forum. (g) Incident Management. and FISMA regulations. may need to observe the regulations and guidelines specified by their own industry or professional regulatory bodies. and (k) Release Management. (i) Configuration Management. (h) Problem Management. As information technology plays a major role in the financial reporting process. This act is also known as the ―Public Company Accounting Reform and Investor Protection Act‖. The purpose is to ―protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. (c) Capacity Management. In this section. [HKSAR. 2008] Information Security Regulations In addition to the various industry standards bodies and guidelines.
including factors like integrity of people within the organization and management authority and responsibilities. whether due to possible unauthorized transactions or manipulation of numbers. without appropriate security measures and controls in place. 3. Risk Assessment. Monitoring. aiming to identify and evaluate the risks to the business. COSO The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework is a framework that initiates an integrated process of internal controls. It helps improve ways of controlling enterprises by evaluating the effectiveness of internal controls. including the policies and procedures for the organization. 5. It contains five components: 1. SOX requirements indirectly compel management to consider information security controls on systems across the organization in order to comply with SOX. Control Environment. 4. including identification of critical information to the business and communication channels for delivering control measures from management to staff. Information and Communication. including the process used to monitor and assess the quality of all internal control systems over time. 2. there would be no way a financial system could continue to provide reliable financial information.Although information security requirements have not been specified directly in the Act. 33 . Control Activities.
technical. the value of audit trails in computerized record systems. and abuse in health insurance and health care delivery as well as other purposes. The full set of rules regarding adoption of the HIPAA standards for the security of electronic health information and privacy of personal health information can be found in US Department of Health and Human Services website. the cost of security measures.HIPAA The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law designed to improve the portability and continuity of health insurance coverage in both the group and individual markets. fraud. and implement an agency-wide programme to 34 . the need for training personnel. and physical safeguards to ensure the integrity and confidentiality of that information. and is a part of the US E-Government Act (Public Law 107-347) that became legislation in 2002. and the needs and capabilities of small healthcare providers. and to combat waste. the information should be properly protected from threats to the security and integrity of that information. or unauthorized disclosure. unauthorized uses. document. FISMA FISMA stands for Federal Information Security Management Act. The Act defines security standards for healthcare information. and it takes into account a number of factors including the technical capabilities of record systems used to maintain health information. It requires US federal agencies to develop. In addition. A person who maintains or transmits health information is required to maintain reasonable and appropriate administrative.
provide information security for the information (and information systems) that support the operations and assets of the agency. an organization can only benefit if those standards are implemented properly. [HKSAR. 6. A business continuity plan in place to support the operation of the organization. Remedial action to address any deficiencies found to be properly managed. Security awareness training to all personnel. Security is something that all parties should be involved in. A working and tested security incident handling procedure 7. procedures and controls. IT professionals and users all have a role to play in securing the assets of an organization. Periodic risk assessments of information and information systems that support the operations and assets of the organization 2. Periodic evaluation and testing of the effectiveness of the security policies. Plans for providing adequate security for networks and information systems 4. Risk-based policies and procedures designed to reduce information security risks to an acceptable level 3. Some of the requirements include: 1. information security practitioners. Senior management. The success of information security can only be achieved by full cooperation at all levels of an organization. 2008] 35 . both inside and outside. including contractors 5. Summary Although there are a number of information security standards available. The frequency should not be less than annually.
Studies have shown that the financial services industry has become a primary target of cyber-attacks on a global scale. There is an expectation from customers.Pg. 2003) mentions in her white paper that ―The process of threat identification begins with an understanding of the financial Institution‘s environment. and partners—anyone that entrusts a company with their sensitive information—that this information will be protected. policies and procedures. July. 11. Cynthia. customers). (Pg. Financial organizations must consider all of the potential damage that can be done to their business if sensitive data is lost or stolen―lawsuits. This is not surprising considering the highly valuable information that all FSPs collect and maintain on a daily basis. human stakeholders (management. As mentioned in the white Paper by Safenet (Pg-3. equipment). 2010) ―Companies are required to prove their compliance with these regulations and will be held liable for their failure to do so. but to their reputation as well. including its business strategy. employees. information systems. and physical resources (facilities.CHAPTER 3 ONLINE SECURITY BREACHES Introduction Security breaches can have a far-reaching impact to not only a company‘s finances. Each of these factors will impact potential threat 36 . and permanently tarnished reputations. 9. Threat Categories Bonnette. negative publicity. loss of sales and customer confidence. employees.
Their access to information systems and data can lead to intentional or unintentional damage or compromise. and their employees present similar concerns as insiders. non-human. contractors. Crackers – This group is distinguished from hackers by their more malicious intentions. etc. or denial of service to data or systems). Partners – Service providers. a number of subgroups can be identified for independent assessment: Hackers – These individuals are characterized by their strong interest in computer technology and desire to learn more by playing with systems and testing their capabilities. their goals tend to be criminal in nature (e.sources.. consultants. While claiming a strong interest in technology. destruction. method. theft. full and part time employees at all levels.). This represents the broadest category with a wide range of capabilities and motivations. business partners. and consequences. 37 . These individuals may cause harm out of malicious intent or innocently damage systems due to error.g.‖ Three intuitive categories include human.g. Often this involves testing systems they do not own. and mixed threats. Insiders – This group includes a wide range of individuals with some degree of legitimate access to an organization‘s systems (e. An understanding of threats can best be achieved by grouping them into categories. vendors. their motivation. Within this broad category.. Specific examples include the following: Human: People based threats can include individuals from inside and outside the organization.
floods. viruses. Mixed – This category consists of threat sources that are characterized by a blend of human and non-human involvement. tornadoes. In CERT‘s OCTAVE Method. and severe storms.) that is originally created by a person. etc.e. Such mixed threats may be targeted at specific financial institutions or they may attack randomly. hurricanes. This may be done with the assistance of hired crackers or others to gain unauthorized access to sensitive corporate data. worms. based on the geographic location. Terrorist attacks can be both targeted and random.. Non-human – The category of non-human threats includes all types of natural disasters such as fires. a financial institution is not ―singled out‖ by the threat source). Cynthia.Competitors – Foreign or domestic competitors may seek to gain an advantage by exploiting information systems. the possibility of experiencing an event involving one of these non-human threats may be more or less likely. However. Examples include malicious code (Trojan horses. but then takes on a ―life of its own‖ on the Internet. [Bonnette. and other circumstances. (July. this category of threat sources consists of non-targeted events (i. Generally. earthquakes. 2003)] 38 . threat scenarios are developed based on known attack sources and expected outcomes. Terrorists – This group may include political or social organizations that seek to gain attention and influence through disruptive and harmful acts.
Password Database Theft – Stolen user credentials are a valuable commodity and. 2010) ―Financial services providers are faced with complex challenges that directly affect their bottom line and. With the rising incidence of threats to sensitive data. The unsuspecting user enters personal information (such as user names. and credit card/account numbers).Pg. organizations must focus squarely on their security infrastructure. potentially. cybercrime rings operate solely to obtain this information and sell it to the highest bidder or use it themselves to access user accounts. the importance of protecting financial data and assets. phishing is a common form of cybercrime typically carried out through e-mail or instant messaging. their very survival in a high-churn market. payment services.5.8. Hackers steal user data and 39 . and retaining the trust of its customers. guessing. often times. which is then collected by the hacker of particular attraction to phishing scams are online banking. For financial services organizations. and business partners. Social Security Numbers. cannot be overstated.‖ Phishing – Although passwords can also be obtained through less sophisticated means such as eavesdropping. and increasing requirements to protect that data. passwords. and ensuring that only the appropriate persons have access to that data. and shoulder-surfing. providing links or instructions that direct the recipient to a fraudulent Web site masquerading as a legitimate one. should be a core requirement of every company‘s security strategy. and social networking sites. employees. no matter where it resides. Protecting sensitive and critical data. dumpster diving.The Threat Environment As mentioned in White Paper of Safenet (Pg.
that infects the user internet browser and inserts itself between the user and the Web browser. One approach for MitM attacks involves pharming. Google Gmail. Yahoo.000 online bank accounts and almost as many credit card accounts. which involves the usage on malicious network infrastructures. It operates in a stealth manner with no detectable signs to the user or the host application. The Sinowal Trojan is a well-known attack developed by a cybercrime group several years ago that is responsible for the theft of login credentials of approximately 300. to redirect users from the legitimate site they are trying to access to a malicious fraudulent Web site that accesses the user credentials and acts on behalf of the user to perform malicious activities. the attacker can hack additional accounts that the user has. Since many people use the same user ID and password combination for multiple sites.passwords from one web site operator to hack other sites. It 40 . Microsoft Hotmail. A MitB attack has the ability to modify Web pages and transaction content in a method that is undetectable by the user and host application. and AOL were victims of phishing attacks that exposed thousands of e-mail account user IDs and passwords. such as malicious wireless access points or compromised DNS servers. Silent banker is a well-known example of a MitB attack targeted at bank transactions. Man-in-the-Browser (MitB) – MitB is a Trojan horse program. modifying and intercepting data sent by the user before it reaches the browser‘s security mechanism. In late 2009. the attacker can actively inject messages of its own into the traffic between the user's machine and the authenticating server. Man-in-the-Middle (MitM) – In this type of threat. a variant of a MitM attack.
9. this can also be done to a DNS server which poisons an entire region.5-Pg. Frank. Abangale. With enough personal information about an individual. such as computer spyware and social network data mining. 2006-2007) also mentioned some threats on the41. W (Pg. Malware – Installing malicious software on the user‘s PC to collect information through keyboard logging. Duress – Using e-mail or calling the user with a threat of shutting down the account if they fail to respond and provide their user credentials.uses a Trojan program to intercept and modify the transaction. a criminal can assume that individual's identity to carry out a wide range of crimes. and then redirect it into the attacker‘s account. Spoofed Site – Presenting a link to a fake site that looks and feels like the original financial institution or merchant site. They are as follows: Pharming – Poisoning the DNS cache on the user‘s PC so it appears to access the correct URL.com related to online banking security. 41 . screenshots and file searches. typically for monetary gain. Identity Theft – Identity theft refers to all types of crime in which someone illicitly obtains and uses another person's personal data through deception or fraud. Identity theft occurs through a wide range of methods—from very low-tech means. The following table8 illustrates well-known social Web sites that have been attacked. such as check forgery and mail theft to more high-tech schemes. when in reality it is redirecting the browser to a spoofed site.
Table 1: Security Breaches Retrieved from Safenet (Pg.5. Shoulder Surfing – Viewing of sensitive information behind the shoulder of an authenticated user (i. 2010) 42 .8. Cookie Theft – Theft of software cookies that are used to assume the victim‘s digital identity.Session Hijacking – Using an authenticated session (after the user authenticated) to mimic a new session and conduct transactions from the compromised account.e. IVR Spoofing – Faking Interactive Voice Response (IVR) systems that call on users to dial and provide their account information and/or credentials.Pg. if a user views check images online or at a physical ATM / teller location).
Rasmussen (2008). such as compromise of data in transmission across internal private networks. Rasmussen (2008) also said that ―They follow trends. They use newly discovered exposures such as the Kaminsky Domain Name Service Vulnerability. He mentioned anatomy of Incidents from the previous hacked websites and patterns. He mentioned that ―Hackers attack via common infrastructure and web application vulnerabilities.Anatomy of an Incident According to the document from Gideon T.‖ Visa has documented the following indications of a security breach: Unknown or unexpected outgoing Internet network traffic from the cardholder environment Presence of unexpected IP addresses on store and wireless networks Unknown or unexpected network traffic from store to headquarter locations Unknown or unexpected services and applications configured to launch automatically on system boot Anti-virus programs malfunctioning or becoming disabled for unknown reasons Failed login attempts in system authentication and event logs 43 . Hackers also use obscure. monitors for its use and hijacks the session). a service provider or Visa common point of purchase fraud investigations. Bank of America on Ecommerce payment card security. legacy attacks such as session replay (where the hacker provides an authorized user with a session id. A compromise may be detected by the merchant. which caused administrators to scramble to patch affected systems recently. Gideon T.
unexplained event logs being deleted) Suspicious after-hours file system activity.tar. and other types of unidentified compressed files containing cardholder data. 44 . . Vendor or third-party connections to the cardholder environment without prior consent and/or a trouble ticket. . SQL Injection attempts in web server event logs Authentication event log modifications (i. Presence of .zip.rar. .e.
If for some reason it is necessary to store this data. such as credit card numbers. Firewalls help to eliminate unauthorized or unwanted external activity and safeguard your network and connections from outside threats.CHAPTER 4 SECURITY BEST PRACTICES Computer Security Best Practices The following standard computer security best practices can protect your transactions and business. If sensitive information is stored in hard copy. you should never store sensitive customer information. 45 . This software should be updated on a regular basis.6. thoroughly shared and dispose of the information on a regular basis. Store All Sensitive or Confidential Information Separate from Web Servers For maximum information security.net article ―Security Best Practices‖ (Pg. Use Anti-Virus Software and Update It Often Anti-virus software is another important way to protect your network and computer systems from outside vulnerabilities. do so in a secure. 2005-2006). It has been retrieved from Authorize. encrypted database on a server that is not connected to the Internet. Install a Firewall A firewall is a hardware or software solution that monitors the activity of external connections (primarily the Internet) to an internal network of servers.
If you ever need to reinstall your software. legitimate businesses will never request confidential information (such as credit card information or passwords) from you in an e-mail or online chat session. It contains PCI requirements and testing procedures used by assessors. Avoid Sending or Requesting Confidential Information via Insecure Methods As a standard security practice. always call the soliciting business to confirm the request before responding. Use the PCI DSS as a reference document. trustworthy users. remember to reinstall all updates.Regularly Download and Install Security Updates Software performance and security can be optimized by installing all service and security updates. Avoid File Sharing Share access to network drives and individual computers only with needed. Bank of America on E-commerce payment card security: 1. Rasmussen (2008). E-commerce Security Best Practices Following are the Security Best practices based on the document by Gideon T. Comply with the PCI Data Security Standard (DSS). If you receive a communication requesting you to submit confidential information in an insecure manner. Your business should also never request or submit confidential information via e-mail or other insecure methods. Especially avoid sharing access to files that store passwords and other confidential or sensitive information. 46 .
and hashing. Under PCI standards. 4. Protect card data in storage and transmission. Use strong encryption to safeguard card data in transmission across public networks (requirement 4. As a best practice. E-commerce merchants often provide the ability for customers to store their card number in order to make future transactions. truncation. Focus on data flow. Implement world class network security. 47 . application and database servers. Do not store prohibited data. Configure operating systems and commercial applications in accordance with industry standard hardening guides. This key DSS directive is absolutely critical to keeping card data secure. 6. 3. Install relevant security patches within 30 days. Ensure appropriate controls are in place anywhere card data is stored. Options for secure storage include strong encryption. etc. it is forbidden to store CVV2 data (the three digit number on the back of a card). Install anti-virus and malware protection software.4). Render card numbers unreadable anywhere they are stored (DSS requirement 3. 5. 2.1). Hackers can use CVV2 codes combined with card numbers to conduct fraudulent transactions. databases on an internal network. encrypt card data across internal networks between web. Harden systems against attack. processed or transmitted.Additional PCI guidance can be found in navigating the DSS and PCI information supplements. The DSS provides detailed requirements for network security via router and firewall configurations. demilitarized zone networks.
Establish a targeted security awareness program for developers. Scanning once a quarter may leave a vulnerability undiscovered for 90 days. Have emphasis on detective controls. Thoroughly evaluate service providers. increase scans intervals to once a month. A layered monitoring program is necessary to detect attacks and provide forensic information for incident response. 12.6 provides two options: conduct code reviews or implement application firewalls. 11. the goal should be to detect it early on and limit further data compromise. Use secure payment applications. 9. 8. For improved security posture. Evaluate web-facing applications. Refer to the Secure Software Development Life Cycle Processes document as a resource.7. Merchants are liable when card data is shared 48 . 13. 14. New vulnerabilities are detected daily. Hire developers with secure coding experience. Monitor for new threats and vulnerabilities. If an incident occurs. Establish a penetration testing program in accordance with DSS requirement. Use software from Visa's List of Validated Payment Applications as a best practice. Ensure the security team is involved in development initiatives. increasing the risk of compromise. Develop custom applications in accordance with an industry standard methodology. Conduct network scans. Actively manage software development. DSS requirement 6. Penetration testing is critical to the security of networked devices and web applications. Perform penetration testing. 10. Adopt a well-regarded penetration testing methodology such as the Open Source Security Testing Methodology Manual (OSSTMM) or the Information System Security Framework (ISSAF).
Evaluate custom application functionality. Monitor access to card data for fraudulent activity. For example. Bank of America E-commerce payment card security] Role of Authentication in an Internet Banking Environment On August 8. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. Information Security Booklet. Implement fraud detection measures.) on Authentication in an Internet Banking Environment (www. Rasmussen. Therefore. Consistent with the FFIEC Information Technology Examination Handbook. the FFIEC agencies1 (agencies) issued guidance entitled Authentication in an Electronic Banking Environment (2001 Guidance). [Gideon T. financial institutions should periodically: • Ensure that their information security program: 49 . The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. 2001. it is prudent to thoroughly evaluate their security controls based upon services provided 15. 16. All the following data on Authentication is being retrieved from a document by ―Federal Financial Institutions Examination Council (N. if an end user‘s duties only require access to one card number at a time. ensure controls are in place to limit access by those constraints. Conduct a review of existing card applications.gov)‖. Determine if authorized access to card data is appropriately restricted by business need.with a service provider.ffiec. December 2002.A.
g. and internal or external threats to information. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud. their information security program in light of any relevant changes in technology. the sensitivity of its customer information. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.g. corruption of data. properly designed and . – Identifies risk mitigation actions. including appropriate authentication strength. biometric characteristic. or unenforceable agreements. Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers... password. and • Something the user is (e. PIN). • Something the user has (e. and – Measures and evaluates customer awareness efforts. 50 Accordingly. An effective authentication system is necessary for compliance with requirements to safeguard customer information to prevent money laundering and terrorist financing to reduce fraud.. disclosure of customer information. as appropriate.g. Existing authentication methodologies involve three basic ―factors‖: • Something the user knows (e. Adjust.– Identifies and assesses the risks associated with Internet-based products and services. and to promote the legal enforceability of their electronic agreements and transactions. ATM card. to inhibit identity theft. such as a fingerprint). smart card). and Implement appropriate risk mitigation strategies.
Smart Card A smart card is the size of a credit card and contains a microprocessor that enables it to store and process data. the customer is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system. the smart card. Tokens Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Authentication Techniques. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. and Methodologies Shared Secrets Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity. Three types of tokens are discussed here: the USB token device. Passwords and PINs are the best known shared secret techniques but some new and different types are now being used as well. Once the USB token is recognized.implemented multifactor authentication methods are more reliable and stronger fraud deterrents. USB Token Device The USB token device is typically the size of a house key. a smart card must be inserted into a 51 . To be used. It plugs directly into a computer‘s USB port and therefore does not require the installation of any special hardware on the user‘s computer. and the password-generating token. Processes.
The process of introducing people into a biometrics-based system is called ―enrollment. The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. the samples are converted into 52 . If the smart card is recognized as valid (first factor). followed by the OTP generated by the token (second factor). Physiological characteristics include fingerprints. such as the pattern of data entry on a computer keyboard. Physical characteristics include. the rate and flow of movements. every 30 seconds. The customer first enters his or her user name and regular password (first factor). The token ensures that the same OTP is not used consecutively. OTP tokens generally last 4 to 5 years before they need to be replaced. also known as a one-time password each time it is used. This very brief period is the life span of that password.‖ In enrollment. The OTP is displayed on a small screen on the token. iris configuration. Biometrics Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). A new OTP is typically generated every 60 seconds—in some systems.compatible reader attached to the customer‘s computer. Password-Generating Token A password-generating token produces a unique pass-code. the customer is prompted to enter his or her password (second factor) to complete the authentication process. for example. samples of data are taken from one or more physiological or physical characteristics. and facial structure.
e. 53 . • Keystroke recognition. combined with a password (something a person knows) or a token (something a person has). Biometric identifiers are most commonly used as part of a multifactor authentication system.. these include: • Fingerprint recognition. usually contains numbers and letters arranged in a row-and-column format. • Face recognition. i. and the template is registered into a database on which a software application can perform analysis. Various biometric techniques and identifiers are being developed and tested. ―low-tech‖ versions of the OTP generating tokens discussed previously. similar to a bingo card or map location look-up. The card. • Retinal scan. a grid. • Finger and hand geometry. Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition and face recognition. • Handwriting recognition.a mathematical model. • Voice recognition. Non-Hardware-Based One-Time-Password Scratch Card Scratch cards (something a person has) are less-expensive. and • Iris scans. The size of the card determines the number of cells in the grid. or template.
However. as a second authentication factor. Internet Protocol Address (IPA) Location and Geo-Location One technique to filter an online transaction is to know who is assigned to the requesting Internet Protocol Address. conversely. the characters contained in a randomly chosen cell in the grid. Geo-location technology is another technique to limit Internet users by determining where they are or. Out-of-Band Authentication Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. The customer will respond by typing in the data contained in the grid cell element that corresponds to the challenge coordinates. This type of layered authentication has been used in the commercial banking/brokerage business for many years. Assuming the information is input correctly. which is assigned either by an Internet Service Provider or as part of the user‘s network. Each computer on the Internet has an IPA. the customer will then be asked to input. and in some cases can be ―spoofed. there is no single source for associating an IPA with its current owner.‖ Additionally. IPAs are not owned. may change frequently. and in some cases matching the two may be impossible. If all users were issued a unique IPA that was constantly maintained on an official register. Geo-location software inspects and 54 . authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners.Used in a multifactor authentication process. the customer first enters his or her user name and password in the established manner. where they are not.
Negative verification to ensure that information provided has not previously been associated with fraudulent activity. These electronic travel times are converted into cyberspace distances. Customer verification complements the authentication process and should occur during account origination. If the comparison is considered reasonable. If the distance is considered unreasonable or for some reason is not calculable.g. 55 . the user's location can be authenticated. and street address match). they are compared with cyberspace distances for known locations. the user will not be authenticated. More specifically. do the telephone area code.analyzes the small bits of time required for Internet communications to move through the network. a financial institution can verify a potential customer's identity by comparing the applicant's answers to a series of detailed questions against information in a trusted database. After these cyberspace distances have been determined for a user.. Logical verification to ensure that information provided is logically consistent (e. Verification of personal information may be achieved in three ways: Positive verification to ensure that material information provided by applicant matches information available from trusted third party sources. Customer Verification Techniques Customer verification is a related but separate process from that of authentication. ZIP code.
any sort of messaging or Web exploit will require IT staff to address the issue as soon as possible after the problem is discovered. a firm with $20 million in annual revenue that lost $92. Further.5% of its annual revenue.000 nearly 0. rebuilding desktops.CHAPTER 5 CONSEQUENCES OF POOR ONLINE SECURITY Consequences of Poor Online Security As per White Paper by Osterman Research (2011). 56 . simply because the owner of the firm clicked on email claiming to be from the Social Security Administration. Just one of the many examples of Zeus ‗victims is Parkinson Construction. Financial losses Loss of funds that arise from the use of malware like Zeus that is designed to steal money from victims financial accounts can have a devastating impact on an organization. This can lead to IT staff working on weekends. Security exploits can also lead to extended email or other service outages that can have serious ramifications on user productivity. the delay of various IT projects. 100% less productive. the problems associated with security exploits impact just about every aspect of an organization Decrease in employee and IT staff productivity Employees waiting for malware to be removed from their computers will be significantly less productive during these downtime periods in some cases. and other costs that may be difficult to estimate.
A small sampling of these lists includes the following: The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements for protecting the security of consumers‘ and others‘ payment account information. or data that is taken home by employees and stored without any IT controls. Osterman Research (2011). Loss of internal data Trade secrets. data that is lost on an unencrypted mobile device or flash drive. organizations can run afoul of a wide variety of statutes that require data to be protected and retained. confidential information and other intellectual property can be lost as a result of poor security. provision of credit reporting services to the victims for a year or longer.Loss of customer data Data breaches can result in the need to remediate them in expensive ways. Violation of statutes and compliance requirements If adequate security defenses are not maintained. It includes provisions for building and maintaining a secure 57 . such as notifying customers via postal mail that their data was lost. embarrassing press coverage and loss of goodwill. loss of future business. These losses can occur across a wide range of venues and activities. Osterman Research (2011). also mentions that ―decision makers in one out of five organizations do not know which compliance laws apply to their organization. The Ponemon Institute has determined that the cost of a single data breach ranges from $98 in the United Kingdom to $204 in the United States. including sensitive content that is mistakenly sent in an email or an unencrypted file transfer.
most other US states have passed similar laws. among other requirements. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions that hold personal information to transmit and store this information in such a way that its integrity is not compromised. Like many other privacy laws. encrypting cardholder data when it is sent over public networks and assigning unique IDs to each individual that has access to cardholder information. Since California passed this groundbreaking data breach notification law. it requires that personal information be stored and transmitted securely. GLBA requires financial institutions to comply with a variety of Securities and Exchange Commission and NASD rules. It includes provisions for ensuring the security and disclosure of databases that contain this information. Japan‘s Personal Data Protection Law is designed to protect consumers‘ and employees‘ personal information. These laws require organizations to notify customers and 58 . The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian privacy law that applies to all companies operating in Canada. The UK Data Protection Act imposes requirements on businesses operating in the United Kingdom to protect the security of the personal information it holds.network. California‘s SB1386 (the Database Security Breach Notification Act) is a far reaching law that requires any holder of personal information about a California resident – regardless of where they are located – to notify each resident whose information may have been compromised in some way.
Users downloading illegal content.others for whom sensitive data is held if their data is exposed to an unauthorized party – an expensive proposition in almost every case. Other issues Osterman Research (2011) also mentions that there are a number of other problems that can occur from malware and other threats delivered via email. which can create serious problems for core business services such as email. including: Internet service outages.0 applications and other capabilities. such as copyrighted works or pornography using corporate assets. the Web. Web sites being taken down for long periods in order to patch the code to eliminate an exploit. and cloud-based CRM systems. collaboration. Web 2. 59 . and lack of compliance with monitoring capabilities and archiving requirements when employees use personal Webmail systems to send corporate data. Related to these outages are the potential for data leakage. The exposure of FTP and other login credentials to attackers and other cybercriminals The download of malware that can turn corporate and home-based computers into zombies used as part of a bot network.
personal smartphones. this list should include things like: On-premise. IT-deployed corporate email systems. Archiving business records that should be retained. to protect against data loss. etc. a senior manager at a 60 . For example. smartphones and other mobile devices. personal laptops. servers or other systems without appropriate access controls. and what they can reasonably expect that they will need to protect over the next few years. For example. Monitoring and/or preventing what leaves the organization via corporate email. as well as sensitive information that could be stored on desktops. flash drives. laptops. iPads and other capabilities from spam and malware. Encryption of sensitive communications to remain in compliance with both regulatory requirements and best practices.What Should You Do to Address the Problem? It may sound obvious. Monitoring internal communications for sexually or racially offensive content. social media posts. Monitoring employees‘ activities when accessing corporate resources from personally owned devices when working from home or remotely. personal Webmail. Threats introduced by employee devices that are brought into the workplace and that are used to access corporate resources. portable hard drives. such as confidential information that might be left on PCs at a hotel‘s business center. etc. but IT and business decision makers must determine exactly what they must protect today. smartphones. This should include iPads. Non-traditional security threats.
For example. or preventing users from employing personal Webmail systems at work can have negative ramifications on a number of levels. collaboration tools. 61 . a policy against the use of social media tools may seriously impact a marketing department‘s effectiveness at building the corporate brand. a blanket prohibition on the use of social media tools like Facebook or Twitter. For example. employees will probably use these tools anyway unless IT imposes draconian controls that will most likely have the side effect of impairing employee productivity. Further. Plus. Employee morale may suffer as a result. Successfully addressing these problems must start with an acknowledgement of the threat landscape and the corresponding policies about how tools will be used before technologies are deployed to address the problems. instant messaging.leading anti-virus company recently reported that he found the itinerary for a general‘s visit to a military installation on a hotel business center‘s PC. as well as user productivity if employees are not permitted to use certain consumer-focused tools that can help them get their work done. Determine What Not To Do As important as establishing what must be done is to establish what must not be done. Osterman Research (2011). Web 2. Establish Detailed and Thorough Policies Any organization that seeks to protect their users. similarly. data and networks from Web-based threats must establish detailed and thorough policies about acceptable use of all of their online tools: email. there must be buy-in across the organization in order for policies to be effective. flash drives and the Web itself.0 applications. smartphones.
largely because there are so many more devices and data sources to protect. Consequently. multi-level defense strategy. Deploy a Multi-Layered. Corporate policies that prevent employees from discussing their employer on their own time.not allowing the use of unauthorized file transfer tools may prevent users from sending large files to prospects or customers in a timely manner. the increasing use of personal devices that can connect as easily to a Starbucks Wi-Fi network as they can to a corporate network. This is becoming increasingly critical as the network perimeter becomes less well defined over time as noted earlier. Osterman Research (2011). any organization should consider deploying: Email-based defenses that include anti-virus.0 applications like Twitter. Multi-Level Defense Strategy It is also important to deploy a multi-layered. etc. However. anti-spam and DLP capabilities. granular remediation capabilities that allow more sophisticated threat management and 62 . anti-malware. or employees using their personal smartphones to access corporate email on weekends means that the network perimeter is rapidly disappearing. Web 2. For example. It is important to note that communication policies must be appropriate and not so broad as to prevent employees from participating in lawful activities. traditional security architecture had a clearly defined firewall that separated internal IT-managed resources from the outside world. sharing comments about union organization. Web content monitoring capabilities that include basic URL filtering. may not be legal. This has made security a much more difficult proposition for IT decision makers.
as well as the ability to more easily enforce corporate policies and changes through a centralized management interface. and protection for employees‘ personal. home-based platforms. Endpoint capabilities that include anti-virus capabilities on client machines. 63 . including: Server-based systems On-premise solutions deployed at the server level. removable media scanning capabilities. where most data typically resides. Real-time monitoring and reporting capabilities that will provide visibility into employee activity in order to reduce overall risk exposure. Cloud-based threat intelligence. Integrated Web and email security as a way to defend against more sophisticated blended threats and reduce the cost of managing multiple systems. such as reputation services. Feedback loop systems that will enable community-watch defenses and reports on threats like spam and phishing attempts.real-time security capabilities that will determine if requests from users and applications comply with security policies. that can determine if content is likely to be acceptable or unacceptable before it is delivered to the corporate network. Consider Various Delivery Models There are a variety of ways in which messaging and Web security capabilities can be managed. resolve many of the problems associated with client-side systems by allowing easier deployment and management capabilities.
The primary advantages of this model are that no investments in infrastructure are required. for example. although they will not necessarily be more expensive. spyware blockers and the like provide useful capabilities and can be effective at preventing a variety of threats client-side anti-virus tools. A potential disadvantage of SaaS or cloud services. Managed services Managed services are similar in concept to hosted services. are an important best practice for any organization to prevent malware from being introduced via flash drives or other local sources. is proxying all traffic to the host and addressing latency issues. anti-virus tools. particularly for Web traffic. installs 64 . Their costs can be higher than for on-premise systems in some situations. SaaS/cloud-based services SaaS and hosted services are increasing in popularity and offer another option for organizations to implement a variety of threat-protection capabilities. It is important to note here that most traditional. and all management and upgrades of the system are provided by the SaaS or cloud service. ongoing costs are predictable.Gateway-based systems Gateway security stops threats at the earliest possible point in the on-premise infrastructure and is a best practice for organizations that manage on-premise defenses. Client-side systems Client-based systems. but a third party – either with staff on-site or via a remote service – manages the on-premise infrastructure. such as URL filtering tools. up-front costs are minimal. consumer-oriented anti-virus products are client-based tools.
reduced power consumption and minimal IT staff time to manage. very high availability. and one that is finding significant uptake in security applications. whether third-party management personnel are located on-premise or in the third party‘s data center. and other factors. Advantages of the virtual appliance approach include the ease of deploying new capabilities. or they may rely on a hosted antivirus service and desktop anti-virus tools. Hybrid offerings A newer approach that is increasingly offered by vendors is to combine on-premise infrastructure with hosted or cloud based services. the ability to move virtual appliances from one physical server to another for purposes of maintenance or failover protection. where on-premise infrastructure is used to secure larger 65 . is the virtual appliance model – a pre-configured combination of dedicated operating system and security software that runs in a virtualized environment. an email security vendor may provide a malware-filtering appliance on-site.upgrades. Costs can vary widely for managed services depending on the size of the organization. A hybrid approach may also be deployed for Web security. but couple this with a hosted filtering service that acts as a sort of pre-filter. The fundamental advantage of this approach is that the onpremise infrastructure is protected from spikes and overall increases in the volume of malicious traffic over time. Virtual appliances Another option. For example. thereby preserving the on-premise investment and maintaining acceptable performance of messaging. and updates signature files and the like.
66 .offices and cloud-based services are used to secure smaller sites where on-premise infrastructure is too expensive to support. Osterman Research (2011).
it has become a challenge for us and many e-commerce institutions to protect personal information online. Information or data plays a major role in every organization. bank account number and other personal identifications. Financial institutions have made. So. etc. the dollar amount of losses relating to identity theft.. ―Methods to evaluate a program‘s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e. banks and other financial organizations can secure their digital communication and transaction systems. As consumers perform more electronic transactions. such as credit and debit cards purchases. the number of clicks on information security links on Web sites. So. Because customer awareness is a key defense against fraud and identity theft.g. A small mistake or loop hole can lead to a major disaster or huge loss to the company. and should continue to make. the number of statement stuffers or other direct mail communications. and increase profitability by lowering operational costs. efforts to educate their customers. and online banking and 67 . Every year many new virus and malicious codes are created to attack our systems which are intended to steal personal information like Social Security number. Management should implement a customer awareness program and periodically evaluate its effectiveness.‖ By implementing a strong authentication system. ID/password). financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary.CONCLUSION Online Banking security is very essential for every financial institution. information security has become very important for every organization especially financial institutions.
investments. or other controls reasonably calculated to mitigate those risks. Senior management. both during and after transactions. layered security. Security is something that all parties should be involved in. financial institutions should implement multifactor authentication. an organization can only benefit if those standards are implemented properly. The success of information security can only be achieved by full cooperation at all levels of an organization. to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties ―Although there are a number of information security standards available. as the only control mechanism. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. both inside and outside. IT professionals and users all have a role to play in securing the assets of an organization. The agencies consider single-factor authentication. it is increasingly important for financial services providers to institute strict control over how customer information is protected on their networks. information security practitioners. Having a strong authentication platform is imperative to ensuring trust and preserving the financial service brand.‖ 68 . Where risk assessments indicate that the use of single-factor authentication is inadequate.
org. (2009). 2011 from the World Wide Web: http://www.realestatezing.html [D] Realestatezing.REFERENCES [A] Investorswords. 2011 from the World Wide Web: http://www. Citibank N. Best Practices in online Banking Platforms.com/citibank/ Wikiinvest. Inc.com/lw/Business-Finance/Real-estate/Bank-ofAmerica. 2011 from the World Wide Web: http://www. Uniform Banking Performance Report (UBPR) for Citibank.htm 69 .com/banks-in-usa/bank-of-america/historybofa. 2011: http://213.unm. Retrieved on Monday.net/newweb/images/stories/downloads/Best_security_practice s_online_banking. (2011).com. 2011 from the World Wide: http://www. April 10.com/1950/financial_institution.A.org/wiki/Financial_institutions [C] Mapsofworld. April 09.investorwords. Company Profile.com. 2011 from the World Wide Web: http://finance.pdf Barlas.wikipedia.wikinvest.194.com/stock/Bank_of_America_(BAC) DataMonitor (July.mapsofworld. Retrieved from World Wide Web on March 10: http://www. 2009). Retrieved on Saturday.pdf The Citi Slickers. Demir. April 10. Retrieved on Saturday.html [B] Wikipedia. 2011 from the World Wide Web: http://en.html [E] OnlineBankingguide. Retrieved on February 05.86.about. April 11.pdf Easy Solutions. Retrieved on April 05.com. Retrieved on Sunday.mgt.edu/news/pdf/banking/MGMT473Citibank. 2004).onlinebanksguide. 2011 from: http://www.easysol. April 10. April 09.162/Webtools/Basvurular/!webpubpic/file/Citibank. (November. Retrieved from World Wide Web on April 12. 2011 from: http://homebuying.com. Retrieved on Sunday. Retrieved on Sunday.com/financial-institutions/types.com. ―Lending Options Offered by America's Largest Residential Mortgage Bank‖.
Retrieved on March 25. 2011 from: http://www. (2008). 2006). March 26.5-Pg.com. An Overview of Information Security Standards.ffiec.com/merger-acquisition/bank/bankamericas.) Authentication in an Internet Banking Environment.gov/pdf/authentication_guidance.pdf Gideon T.com/publicpdf/landing/merchantnews/pcidss/ecommerc e. An Osterman Research White Paper. 2011 from the World Wide Web: http://personalfinance. (July. Retrieved on April 15. 2011 from: http://corp.php?art_id=165&opg=1 HKSAR. (October 2. (March.hk/english/technical/files/overview.com. Maximum Security Online: Best Practices for Designing the Ultimate Online Security Strategy. April 01. (N.pdf Abangale. 2011: http://www. Retrieved on April 07 from: http://www.infosec.com. 2011 from the World Wide Web: http://finance.pdf Bonnette. 2011 from the World Wide Web: www. Rasmussen. Retrieved on Sunday.pdf 70 .authorize. Cynthia. Retrieved from World Wide Web on April 06.sans.mapsofworld. Andrew. Retrieved on Sunday.net. Messaging and best web security Practices for 2011 and beyond. Frank. 2006-2007).9. 2011 from: http://www. Assessing Threats to Information Security in Financial Institutions.pdf Federal Financial Institutions Examination Council.org/reading_room/whitepapers/threats/assessing-threatsinformation-security-financial-institutions_1143 Mapsofworld.com/articles.Miller. ISO 17799 and 27001: Setting the Standards for Information Security.net/files/developerbestpractices. W. (February 2008). Retrieved on January 25. 2011: http://www. Retrieved on March 25.html Personalfinance.byu.edu/?q=node/583 Authorize. (Pg. SANS reading room site. Retrieved on Saturday. 2011).bankofamerica.bankinfosecurity. The Government of the Hong Kong Special Administrative Region. Retrieved from: The41. 2003).com/whitepapers/or_or0311.A. Bank of America: E-commerce payment card security. April 01.gov.ostermanresearch.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.