Information Technology Security

Risk Management
Cyber Security, Cyber Frauds,
Prevention of Cyber Crimes

Anand Shrimali
Ex.Faculty, IIBF &
Former DGM-IT, Bank of India
(Head CBS & DC)
INDIAN INSTITUTE OF BANKING & FINANCE
About the Faculty…
 Hello, friends….. Greetings from Anand Shrimali

 Worked in Bank of India, for over 4 decades - 13 yrs in the areas of

Branch Banking, 29 yrs. In Controlling Offices, EDP, HO IT, DC and Apex
Training Colleges in IT Field
 6 yrs.+ in / with IIBF as Faculty in IT
 2 yrs.+ with IBPS on Deputation as Head, Online Division
 CISO in the Bank for about one year
 Headed the Global DC & CBS of BOI for 2 years, before superannuation
as Dy. General Manager, IT
 Qualifications: M.Sc. (Physics), M.A. (Econ), M.Com., LL.B., CAIIB,
Diploma in Banking Technology (DBT) Diploma in Cyber Laws (DCL) and
many other IT Programmes / Certifications.

INDIAN INSTITUTE OF BANKING & FINANCE

Agenda
 Overview
 Why Care About IT Risks?
 What’s IT Risk? How to manage it?
 Information Security Risk Management - Objectives
 IT Risks in Banks, Issues, Impact
 Risk Assessment, Control strategies
 IT Security breaches & their impact, some examples
 Threat & Incident Management - Challenges
 IT Risk Governance
 IT Risk and ERM
 IT Security, Cyber Security, Cyber Frauds
 Prevention of Cyber Crimes

INDIAN INSTITUTE OF BANKING & FINANCE 3

Why Care About IT-related Risk?
 Organisations heavily depend on IT to run business
 IT drives the business in every field
 Increasing threats in using technology and IT enabled
services / products
 Severe need to understand types of Risks in IT
 Important to put in place the Risk Management
practices
 ITRM is crucial in managing the exposure to risks
 Improves overall business operations and decision
making

INDIAN INSTITUTE OF BANKING & FINANCE 4

Why Care About IT-related Risk?
 Not so long ago, information technology (IT) risk occupied a small corner of
operational risk – the opportunity loss from a missed IT development
deadline, downtimes due to failures etc.
 Today, the success of an entire financial institution may lay on managing a
broad landscape of IT risks.
 IT risk can cause a potential damage to an organisation’s value, resulting from
inadequately managing of processes and technologies.
 IT risk includes the failure to respond to security and privacy requirements, as
well as many other issues such as: human error, internal & external frauds,
obsolescence in applications & machines, reliability issues, mismanagement.
 The World Economic Forum provides best information about this problem.
They rank a breakdown of critical information infrastructure among the most
likely core global risks, with 10-20 % likelihood over the next 10 years and
potential worldwide impact of $250 billion.
 IT risk management is more than using technology to solve security problems

INDIAN INSTITUTE OF BANKING & FINANCE 5

Various Cyber attacks on Banks
 SWIFT (Bangladesh Bank case $81 mn – 2016)
 SWIFT (Union Bank – Nostro A/c $171 mn 2016)
 ATM-SWITCH (COSMOS Bank – 2019)
 e-Mail spoofing (Town Coop Bank-22.15 lakhs 2018)
 Mobile wallet - (Total 12 cr)
 UPI – (send money without debit to account BOM 12 Cr.)
 Cards – Cloning, Stealing & Sale of Bulk Card Data
 Online Banking – Stealing & mis-using credentials
 Mobile Banking – Mis-using, Credentials, Fake Apps

INDIAN INSTITUTE OF BANKING & FINANCE 6

Regulatory/Supervisory concerns
 Disruptions
 Impact on the economy due to disruptions
 Loss to organisation due to disruption of critical
services and frauds
 Loss of public confidence & image of the Bank
 Payment and settlement disorders leading to
failures in settling obligations among banks &
other institutions

INDIAN INSTITUTE OF BANKING & FINANCE 7

Importance of IT Risk in Operational Risk
 “Operational risk management is becoming a C-suite
and board-level tool to inform strategic and day-to-day
business decisions. Advances in technology to address
regulatory and other industry factors can be a catalyst
for helping organizations rethink their operational risk
strategies and modernize capabilities to make risk
programs more effective,”
Kristina (Krissy) Davis,
Deloitte Risk and Financial Advisory
for Deloitte & Touche LLP

(C-suite: CFO, COO, CIO, CTO, CMO and so on)

INDIAN INSTITUTE OF BANKING & FINANCE

Some key drivers of change in Operational Risk

INDIAN INSTITUTE OF BANKING & FINANCE

Technology Risks –
Management and Impact
 Technology related risks is an important risk

 Needs to be integrated as part of the overall risk

assessment and management process in an
organisation

 IT is a critical component of Operational Risk

Assessment and Management processes

INDIAN INSTITUTE OF BANKING & FINANCE 10

Risk vs Issues
 Risk : A Risk is a potential or future event that, should
it occur, will have a (negative) impact on the Business
Objectives of an Organisation
“It May Rain Tomorrow”
A risk must have Uncertainty, It might happen
(Probability or Likelihood).
 A risk must have a measurable Impact, (usually measured in
monetary terms, but other criteria like reputation)

 Issue : An Issue is a current event that will have a

(negative) impact on the Business Objectives of an
Organisation
“It is Raining Today”
 e.g. An Incident, a manifested risk, an Audit Non-Compliance
finding, an Equipment or Supplier failure

INDIAN INSTITUTE OF BANKING & FINANCE 11

Threat vs Vulnerability
 Threat : An event having potential to cause the
damage or harm to the system, like disclosure,
destruction, modification or denial of access to
information or Info.System

 Vulnerability : A weakness in the system that could

be exploited to cause damage to the system, like a
System is not patched / updated with latest releases

INDIAN INSTITUTE OF BANKING & FINANCE 12

Objectives of
Technology Risk Management
❖ Goal of ITRM is to identify potential technology risks before they
occur and have a plan to address those technology risks
❖ Information System is the wider term for the IT.
❖ Technology Risk Management refers to Information Security
Management (ISMS)
❖ The objective of an organization's Information Security Management
Program is to prudently and cost-effectively manage the risk to
critical organizational information assets
❖ Cost is associated with risk -
❖ Security incidents cost money
❖ Preventing incidents also cost money

INDIAN INSTITUTE OF BANKING & FINANCE 13

Objectives of
Information Security Risk Management
To ensure that the risks to the Organisation that are derived from
Incidents, Threats, Vulnerabilities and Audit non-compliances are
managed effectively.
In Technology, these are the risks that impact CIA, i.e.
 Confidentiality
 Integrity
 Availability
and
 Traceability of Information:
 Whilst At rest
 Whilst being modified or
 In transit (around a system, e-mail, media device,
telephone etc.)
INDIAN INSTITUTE OF BANKING & FINANCE 14
Characteristics of IT environment
 High volume and complexity
 Low visibility, location or distance is immaterial
 Fast IT-related changes
 High level of reliance on specialist knowledge
 Low level of human intervention
 Audit environment is different and complex
 Auditing requires both functional and reasonable
computer skills
 Likely impact due to compromising of controls would be
very high

INDIAN INSTITUTE OF BANKING & FINANCE 15

IT related Risks/Issues
ILLUSTRATIVE LIST:
 System failures/disruptions
 Data integrity issues
 Unauthorized access/disclosure to data/information
 Inadequate oversight/governance of IT
 Inadequate alignment with business requirements
 Inadequate segregation of duties
 Malicious activities like hacking/frauds, DoS attacks
 IT Project time and cost over-runs or project failures
 Social engineering attacks to gain access to systems
 Lack of or inadequate audit trails
 Inadequate authentication/authorisation to systems
 Inadequate response to IT related incidents
 Inadequate user training/awareness

INDIAN INSTITUTE OF BANKING & FINANCE 16

What are IT Risks ?
 The domain of IT Risk can be described in four
areas:

 Asset
 Threat
 Impact
 Control

INDIAN INSTITUTE OF BANKING & FINANCE 17

What are the impact of IT Risks

 IT Assets  Business Impact

 Information  Operational
 Infrastructure (IT)  Legal
 Reputational
 Business Processes (Oper,SW)

 IT Threats  IT Control
 Preventive
 Confidentiality – Data Breach
 Detective
 Integrity Compromised
 Limitative
 Availability - Disruptions  Corrective

INDIAN INSTITUTE OF BANKING & FINANCE 18

Classifying IT risk

INDIAN INSTITUTE OF BANKING & FINANCE

“you can't manage what
you can't measure.”

Peter Drucker - Management Guru

INDIAN INSTITUTE OF BANKING & FINANCE

Risk Assessment
 Risk assessment evaluates the relative risk for each
vulnerability
 Assigns a risk rating or score to each information asset
 Final summary comprised in ranked vulnerability risk
worksheet
 Worksheet details asset, asset impact, vulnerability,
vulnerability likelihood, and risk-rating factor
 Ranked vulnerability risk worksheet is initial working
document for next step in risk management process:
assessing and controlling risk

INDIAN INSTITUTE OF BANKING & FINANCE 21

INDIAN INSTITUTE OF BANKING & FINANCE
Risk Control Strategies
 Apply safeguards (avoidance)
 Transfer the risk (transference)
 Reduce impact (mitigation)
 Understand consequences and accept risk (acceptance)
 Termination

INDIAN INSTITUTE OF BANKING & FINANCE 23

Risk Control Strategy: DEFENSE

 Defense: Prevent the exploitation

of the system via application of
policy, training/education, and
technology. Preferably layered
security (defense in depth)
 Counter threats
❖ Remove vulnerabilities
❖ Limit access to assets
❖ Add protective safeguards
 Avoidance of Risk by having good
Defense mechanism

INDIAN INSTITUTE OF BANKING & FINANCE 24

Risk Control Strategy: TRANSFERAL

 Transferal: Shift risks to other

areas or outside entities to handle
 It Can include:
❖ Outsourcing to other organizations
❖ Implementing service contracts
with providers
❖ Purchasing insurance
❖ Revising deployment models

INDIAN INSTITUTE OF BANKING & FINANCE 25

Risk Control Strategy: MITIGATION

 Mitigation: Creating plans and

preparations to reduce the damage
of threat actualization
 Mitigation includes:
❖ Incidence Response Plan
❖ Disaster Recovery Plan
❖ Business Continuity Plan

INDIAN INSTITUTE OF BANKING & FINANCE 26

Risk Control Strategy: ACCEPTANCE

 Acceptance: Properly identifying

and acknowledging risks, and
choosing to not control them
Appropriate when:
❖ The cost to protect an asset or
assets exceeds the cost to replace
it/them
❖ When the probability of risk is very
low and the asset is of low priority
❖ Otherwise acceptance = negligence

INDIAN INSTITUTE OF BANKING & FINANCE 27

Risk Control Strategy: TERMINATION

 Termination: Removing or
discontinuing the information asset
from the organization
 Examples include:
❖ Equipment disposal
❖ Discontinuing a provided service
❖ Firing an employee

INDIAN INSTITUTE OF BANKING & FINANCE 28

Pros and Cons of each strategy
Pros
 Defense: Preferred all round
approach
 Transferal: Easy and effective
 Mitigation: Effective when all
else fails
 Acceptance: Cheap and easy
 Termination: Relatively cheap
and safe
INDIAN INSTITUTE OF BANKING & FINANCE
Cons
 Defense: Expensive and
laborious
 Transferal: Dependence on
external entities
 Mitigation: Loss to organization
 Acceptance: Rarely
appropriate, unsafe
 Termination: Rarely
appropriate, involves loss
29
IT Risk Management:
Three Essentials Activities
 Risk Governance
 Responsibility and accountability for risk
 Risk appetite and tolerance
 Awareness and communication
 Risk culture
 Risk Evaluation
 Risk scenarios
 Business impact descriptions
 Risk Response
 Key Risk Indicators (KRIs)
 Risk response definition and prioritization

INDIAN INSTITUTE OF BANKING & FINANCE 30

Standards and Frameworks
International / Industry Best Practices
 International Standards and Frameworks:
 Enterprise Risk Management Oriented
 IT Security Oriented
 COSO
 COBIT (ISACA)
(COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK)
 Hybrid: Risk-IT (ISACA)

INDIAN INSTITUTE OF BANKING & FINANCE 31

Some Examples of IT Security
Breaches

INDIAN INSTITUTE OF BANKING & FINANCE

What can go wrong
 Operations failure
 Data Leakages
 Data Damage, Lost
 System Failure – HW / SW / Network
 Data Theft - Insider / Internal Threats
 Data Theft – Breaches / External Threats

INDIAN INSTITUTE OF BANKING & FINANCE

Rouge & Unauthorised Trading
 UBS:
 2011: Rouge Trader has caused an estimated loss of €2
billion, stunning the banking industry, that has proven
vulnerable to unauthorised trades.
 Financial Loss: €2 Billion

 SOCIETE GENERALE
 2008: The Trading loss incident for breach of trust,
forgery and unauthorised use of bank’s computers.
 Financial Loss: of €5 Billion

INDIAN INSTITUTE OF BANKING & FINANCE 34

Data Leakage
 SONY:
 2010: Worldwide electronic leader had to interrupt its
gaming network for 23 days, due to hacking resulting in
data leakage of 100 million client accounts, 58 claims.
 Financial Loss: €130 M

 ZURICH:
 2008: Failing to properly manage the risks associated
with the security of customer information, in the
context of an outsourcing program in South Africa.
 FinancialLoss: €2 M
INDIAN INSTITUTE OF BANKING & FINANCE 35
Information System Failure
 DBS BANK:
 2010: One of Singapore’s largest banks, suffered a major IT system
crash affecting the bank’s commercial and consumer banking
systems. The bank was blamed by the Monetary Authority (MAS)
for insufficient oversight of the maintenance, functional and
operational practices and controls employed by its provider IBM
 Financial Loss: €135 M

 DOWJONES:
 2010: Industrial Average of one of the G8 country plunged about
1000 points (around 9%), only to recover flash crash losses within
minutes, due to unusual sell of E-Mini S&P 500 contracts and high-
frequency trades.
 Financial Loss: US stock market Flash Crash

INDIAN INSTITUTE OF BANKING & FINANCE 36

Data theft and Insider threat
 HSBC:
 2009: Personal details of 24000 Bank clients were stolen and given
to the French tax authorities by Herve Falciani, an IT specialist.
FINMA has reprimanded the bank for deficiencies in its internal
organization and IT controls
 Financial Loss: Unknown

 HSBC:
 2008: Bank lost a CD containing 1.8L customers’ information and
was fined by the FSA more than £3m for failing to protect
confidential details from being lost or stolen. Lack of Training,
lack of IT Security (no data encryption) have been highlighted as
the main issue.
 Financial Loss: €3,5 M (FSA Fine)

INDIAN INSTITUTE OF BANKING & FINANCE 37

Data theft & breaches (2020-21)
➢ NPCI: BHIM app data breach exposed data of over 7 million users
affecting personal records. 409-gigabyte data leak included personal
information such as Aadhaar card details, bank records etc.
➢ Juspay: Juspay Data Breach affects Amazon, Swiggy And Many
Others. The compromised information of 10 crores (100 million) Indian
cardholders was up for sale on the dark web; leaked information was
from a Juspay data servers
➢ Solarwinds Breach: Solarwinds breach has emerged as one of the
biggest ever targeted against the US government, its agencies, and
several other private companies, called a ‘Supply Chain’ attack
➢ Reserve Bank Of NZ Data Breach: Criminals hacked a third-
party hosting partner of the Central Bank resulting in data breach as
the data stored at a third-party hosting provider was accessed by the
hackers.

INDIAN INSTITUTE OF BANKING & FINANCE 38

Threat & Incident Management
The Challenge: Visibility and Traceability
 IT Threats’ visibility and traceability challenge the IT Risk & IT
Security professionals due to complex IT environment and
evolving attacks.
 Understanding how the Workstations, Servers, Network and
Applications are used, having a consolidated view and
dashboard of the overall IT Risk posture, is not an out-of-the-
box tool.
 Knowing threats and risks to the infrastructure, requires a
detailed, structured and/or correlated Information System’s log
analysis.
 Business-critical visibility into specific behaviours by end users
for effective remediation by Security and Operations teams, is
mandatory to ensure a reliable incident management service.

INDIAN INSTITUTE OF BANKING & FINANCE 39

Threat & Incident Management
The different type of tools:
 External Threat:
 Firewalls
 Intrusion Prevention Systems (IPS)
 Internal Threat:
 Antivirus Solutions
 DLP Solutions (Data Leakage Prevention)
 Desktop monitoring (Active Directory)
 Incident: Fraud & Investigation:
 SIEM Solutions (Security Information & Event Mgmt)
 Forensics (Encase)

INDIAN INSTITUTE OF BANKING & FINANCE 40

Technology & Security Issues
 Security policy, duly approved by the Board, should be in
place
 Segregation of duties between Information Security
section & Information technology section
 Logical Access controls like User id, passwords, biometrics
etc. should be introduced for access to data, systems,
application software, communications line etc.
 A Network & Database Administrator to be designated with
clearly defined roles

INDIAN INSTITUTE OF BANKING & FINANCE 41

Technology & Security Issues
 All computer accesses, including messages received,
should be logged. Security violations (suspected or
attempted) should be reported and followed up.
 Usage of SSL which ensures server authentication.
 All unnecessary services / programs on the servers such as
FTP, Telnet should be disabled.
 The email server should be isolated from the app servers.
 The Information Security Officer and the Information
System Auditor should undertake periodic penetration
tests (VAPT) of the systems.
 Physical access controls should be strictly enforced.
 (SSL- Secured Socket Layer, FTP- File Transfer Protocol)
INDIAN INSTITUTE OF BANKING & FINANCE 42
Technology & Security Issues
 Business Continuity (BCM) should be ensured by setting up
disaster recovery sites. These facilities should also be
tested periodically (DR Drills).
 Security infrastructure should be properly tested before
using the systems and applications for normal operations
 Organisation should upgrade the systems by installing
patches released by developers to remove bugs and
loopholes, and upgrade to newer versions which give
better security and control.

INDIAN INSTITUTE OF BANKING & FINANCE 43

Cyber Security & Prevention from
Cyber Crimes

INDIAN INSTITUTE OF BANKING & FINANCE 44

Cyber Risks -
IT and Changing Banking Environment
 Levels of computerization - major technological developments
 Changes in the business processes facilitated by technology
 E-banking channels
 Ever evolving Payment Systems
 Expanding e-commerce universe
 Complex environments for processes & controls
 Increased IT outsourcing
 Sharing of resources like ATM networks
 Cloud, Digital wallets, APIs, BYOD
 Regulatory guidelines

INDIAN INSTITUTE OF BANKING & FINANCE 45

Cyber Risk
 Cyber risk can manifest itself across several dimensions, making
it difficult to detect, measure and control
 Sources of cyber risk :
 Internet attacks, Hacktivism, Hackers, Country attacks, Advanced
Persistence Threats, Insider data leakage, social engineering etc.
 Internal origins of cyber risk : E-mails, Digital banking services,
Electronic payments, electronic trading, Outsourcing, dependence
on third parties, Data Exchange with external agencies, technology
infrastructure etc.
 Most of the security breaches are due to improper
implementation of the controls and processes and more
importantly not being aware of the same, as mission critical
activities are outsourced.
 Responsibility, accountability and ownership rests with the bank

INDIAN INSTITUTE OF BANKING & FINANCE 46

Cyber Threats /
Crime Crimes

Why these are different

➢ Anonymity
➢ No Physical Evidence / Clues
➢ High Impact & Intensity
➢ Done from far away place
than the Scene of Crime
❖ Global
❖ Automated
❖ Continuous
INDIAN INSTITUTE OF BANKING & FINANCE 47
 Beware of Shoulder surfing

INDIAN INSTITUTE OF BANKING & FINANCE 48

Types of Cyber Crimes & Cyber Threats

 Data Alteration  Lottery Scams

 Spoofing  Computer Contamination
 Phishing  Virus / Malwares
 Pharming  Ransomwares
 Data Diddling  Man-in-the-middle Attack
 Flooding  Logic Bombs / Salami Attack
 Denial Of Service (DoS/DDoS)  Skimming / Shimming
 Voice / SMS Spoofing  Data Theft
 Packet Sniffing  SIM Swap

Net Banking Frauds

INDIAN INSTITUTE OF BANKING & FINANCE 49
Malwares, Trojans, Adwares
» Malware, short for malicious
software, is software disrupting
computer operation, gather
sensitive information, or gain access
to computer systems.
» 'Malware' is a general term used to
refer to a variety of forms of hostile,
intrusive, or annoying software and
includes computer viruses, worms,
trojan horses, spyware, adware, and
other malicious programs
» Trojans - software silently entering
in the computer system with the
intention to harm them

INDIAN INSTITUTE OF BANKING & FINANCE 50

 Data Diddling
 Involves altering the raw data
just before a computer
processes it and then changing
it back after processing is
completed
Salami Attacks
 These attack involves making
alteration so insignificant that
in a single case it would go
completely un-noticed. Attacks
are used for commission of
Financial Crimes

INDIAN INSTITUTE OF BANKING & FINANCE 51

» Phishing: Using Spoof E-Mails / SMSs
or directing people to fake Web-Sites
to fool them into divulging personal
financial details so criminals can
access their account. You don’t know,
link under tiny URL may do what
wrong.
» Pharming: Technically more
sophisticated exploitation of a
vulnerability in the DNS Server
software
» 156 Million Phishing attacks per day

INDIAN INSTITUTE OF BANKING & FINANCE 52

INDIAN INSTITUTE OF BANKING & FINANCE 53
Nigerian Scam
 Nigerian Frauds 409 or 419 are basically the lottery scam
or sharing fake inheritance of huge money in which some
overseas persons are involved to cheat innocent persons
or organizations by promising to give a good amount of
money at nominal fee charges
 In spite of age old techniques & repeated warnings,
people respond to such email / SMS invitations and fall
pray to such frauds

INDIAN INSTITUTE OF BANKING & FINANCE 54

SIM SWAP
 A SIM Swap scam — also known as SIM splitting, simjacking, sim hijacking, or
port-out scamming — is a fraud that occurs when scammers take advantage of
ignorance of subscriber and use the OTP based two-factor authentication and
verification in case of message (SMS), OTP or phone call to the number.
 The scammers call mobile operator, impersonating subscriber, claiming to
have lost or damaged their (your) SIM. Fraudster then ask to issue and
activate a new SIM, which ports mobile number to the fraudster’s device.
Sometimes they claim that they need help switching to a new phone.
 A trick employed by fraudsters is to flood subscriber with nuisance calls in the
hope that he/she switch off the phone.
 Never switch off the phone; rather, don’t answer such calls.
 Please check, if mobile operator sends an SMS to alert in case of a SIM card
change request; this can help stop the fraud in quick time.

INDIAN INSTITUTE OF BANKING & FINANCE

I.T. Frauds
 Fraud is deliberate deception to secure unfair or unlawful gain, or to
deprive a victim of a legal right.
 Computer fraud is the act of using a computer to take or alter
electronic data, or to gain unlawful use of a computer or system.
 Internet Banking Fraud is a fraud or theft committed to illegally
remove or use money from a bank account
 Generally this is a form of identity theft and is usually made possible
through techniques such as phishing.
 Internet fraud is the use of Internet services or software with Internet
access to defraud victims or to otherwise take advantage of them
 Cyber fraud is the crime done using any of the above methods
particularly with the intent of money theft
 Computer is used by Criminals either as a Tool or a Target

INDIAN INSTITUTE OF BANKING & FINANCE 56

Damage to Computer / Computer Systems
Sec.43.IT Act :
Penalty for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is incharge of a
computer, computer system or computer network, —
(a) accesses or secures access to such computer, computer system or computer network;
(b) downloads, copies or extracts any data, computer data base or information from such computer,
computer system or computer network including information or data held or stored in any removable
storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data,
computer data base or any other programmes residing in such computer, computer system or
computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer,
computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
(h) charges the services availed of by a person to the account of another person by tampering with
or manipulating any computer, computer system, or computer network,
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to
the person so affected.

INDIAN INSTITUTE OF BANKING & FINANCE 57

Internet / Mobile Banking Frauds
 Internet Banking has become a de facto remote Branch
Banking for Individuals, Corporates & Organisations
 Widely used to check account details, statements, remit
money, Share trading, Investment planning, bill payments,
tax payments, online shopping / bookings and so on
 Due to some ignorance or small mistakes, people easily
fall into the trap of cyber criminals.
 Phishing & Social engineering are two top modes for
defrauding
 Now a days people are defrauded through UPI frauds,
PayTM / GPay frauds, OTP sharing, SIM Swap etc.
 Malwares through scrupulous Apps and tiny URLs etc.

INDIAN INSTITUTE OF BANKING & FINANCE 58

What is Information System Security ?
Information Security is the process of
protecting data and computer resource from

unauthorized access,
use,
disclosure,
destruction,
disruption, or
modification.

INDIAN INSTITUTE OF BANKING & FINANCE 59

Information System Security is
• Confidentiality,
• Integrity,
• Availability &
• Authenticity of data / computer resources.

The terms information security, computer security and

information assurance are frequently used interchangeably.

You can term it in different ways, but ultimately the main

heart is protection of confidentiality, Integrity and
availability of data.

INDIAN INSTITUTE OF BANKING & FINANCE 60

WHAT IS CYBER SECURITY ?
 Information security is all about protecting the
Information, which generally focus on the Confidentiality,
Integrity, Availability (CIA) of the Information.
 Cyber security is about securing things that are
vulnerable through Cyber world.
 Cyber security is the protection of Internet-connected
systems, including hardware, software and data from
cyber attacks or more broadly through ICT.
 In a computing context, security comprises Physical
Security, IT Security and Cyber Security -- all are used by
enterprises to protect against unauthorized access to
critical resources - data centers, computerized systems.

INDIAN INSTITUTE OF BANKING & FINANCE 61

 Why? – Information Security

The modern thief can steal more with a computer than

with a gun.

Today a terrorist may be able to do more damage with a

keyboard than with a bomb.

INDIAN INSTITUTE OF BANKING & FINANCE 62

 Why? – Information Security

 To prevent data leakage

 Prevent reputation loss
 Prevent financial / business loss
 Attract more business

INDIAN INSTITUTE OF BANKING & FINANCE 63

Types of Information Security

• Physical Security - Physical Access control

• Logical Security - Password, Logical Access Control

• Network Security - IDS, NIDS, IPS, Firewall, Biometric,

Cryptography (DS)

INDIAN INSTITUTE OF BANKING & FINANCE 64

 CLASSIFICATION
Cyber crime may be broadly classified under three groups. They are-

1. Against Individuals
a. their person &
b. the property of an individual
Financial fraud crimes, Cybersex trafficking, Obscene or offensive content,
Online harassment

2. Against an Organization
b. Firm, Company,
c. Group of Individuals.
Financial fraud crimes, IPR & other Property Rights

3. Against Society at large

a. Government, Races, Mankind
Cyberterrorism, Cyberwarfare, Cyber-extortion, Drug trafficking

INDIAN INSTITUTE OF BANKING & FINANCE 65

 Theft

Sabotage

Malicious
Insider
Acts
Fraud Hackers
Threats

Damages

Access Loss of Stock

Negative Valuation Data Strategic data
PR Interrupted; Customer Disclosed Compromised
Lost business confidence Impacted

INDIAN INSTITUTE OF BANKING & FINANCE 66

Precautions - Best Practices for Users
 Be cautious while opening email attachments received from unknown
sender/domain
 Be sure before clicking URLs provided in email contents
 Avoid sharing personal information (password, PIN, card details etc.)
 Enforce strong password and regularly change your password, PIN etc.
 Preferably keep a backup of your data at a protected location
 Install Anti-virus and anti-malware software and regularly update the
same
 USB flash drives (pen-drives) not to be used in PCs at Bank’s network
 Do not connect to internet from systems which are connected to
Bank’s network.
 On suspension, transfer or retirement, Login-IDs, Digital signature
should be revoked.
 Do not install unauthorized software e.g. Freeware, shareware etc.
 Maintain clear desk and clear screen policy.

INDIAN INSTITUTE OF BANKING & FINANCE 67

5P MANTRA
 PRECAUTION
 PREVENTION
 PROTECTION
 PRESERVATION
 PERSEVERANCE

INDIAN INSTITUTE OF BANKING & FINANCE 68

MOST COMPUTER CRIMINALS THRIVE NOT
ON KNOWLEDGE BUT INSTEAD
BLOSSOM DUE TO IGNORANCE
ON THE PART OF USERS / SYSTEM
ADMINISTRATORS

INDIAN INSTITUTE OF BANKING & FINANCE 69

 ?
Questions ?

INDIAN INSTITUTE OF BANKING & FINANCE 70

Thanks
Mail: ashrimali@gmail.com
M:9975461415