Information Assurance & Security

(TEB 2193)

Assignment 1

Name : Fatin Nasuha Binti Abdul Razak

ID : 18002908

Lecturer’s Name:
Nazlinee Samiha Binti Haron
1. Question 1

Title : A case study on E-Banking security.

Sector/Industry : Bank Simpanan Nasional (BSN), a government owned bank in
Malaysia.

People use the Internet for various reasons such as shopping and online banking. One of the
major concerns when purchasing online and accessing financial information is security.
Information security is the protection of information and the systems used to store and transmit
data.
The aim of this research to identify the security threats factors that influence customer intention
to continue using Internet Banking. Customers are apprehensive about the security of their
personal financial that could be accessed via the Internet. The electronic banking community
recognized the information assurance and security needs. This is one of the important factors
because Bank Simpanan Nasional (BSN) is highly committed in ensuring that all data,
materials, information disclosed, shared, stored or used, or any transactions performed via
MyBSN are kept safe, secure, private and confidential. For this purpose, a security and privacy
protection system is in place to ensure that the highest security and confidentiality standards
are maintained.
Information security is concerned with the protection of three characteristics of information:
confidentiality, integrity, and availability through the use of technical solutions and managerial
actions (Gordon and Loeb, 2002). All commercial operating systems have vulnerabilities, also
known as weaknesses in the computer system (Landwehr, 2001). These vulnerabilities create
opportunities for possible threats to the information housed on these systems.
In this section will be discusses these counter measure and give more information about
security practices that are taken to ensure the confidentiality, integrity and availability of Bank
Simpanan Nasional (BSN) information.
To ensure data confidentiality and integrity, all information transmitted over the Internet is
encrypted using the 128-bit Secure Sockets Layer (SSL) protocol from Verisign Certificate
Authority. SSL is a secure way of transferring information between two computers on the
Internet using encryption. Strong end to end encryption is also adopted within BSN's computer
networks and resources.
MyBSN is WebTrust certified. This certifies their compliance with leading international security
standards and Best Practices, as well as their commitment to maintaining a secure
environment. WebTrust is an independent corporation that monitors and tests their facilities
to assure that they will maintain the highest and most current standards in Internet information
security and exchange.

BSN are committed to ensure the security, privacy and confidentiality of customer information.
They have in place, highly secured computer systems to protect and ensure all information
are kept safe and confidential by their stringent security standards. BSN’s systems are well
controlled in order to ensure customer information is maintained under secured and private
environment. While they shall use their best efforts to ensure that the privacy of all information
is kept secure, it is an accepted fact that no data transmission conducted over the Internet can
be guaranteed to be wholly secure. Accordingly, BSN discourage you from transmitting any
information, the contents of which being confidential or sensitive, to us via the Internet as they
are unable to guarantee the privacy or security of the same, unless otherwise stated. BSN
shall neither be held responsible nor liable for any damages or losses which you may suffer,
whether directly or indirectly, as a result of the said information being stolen, tampered with,
copied, abused, misused or otherwise violated.
BSN has adopted a combination of the following systems security and monitoring measures
for online transactions:
 Firewall systems, strong data encryption, anti-virus protection and round-the-clock
security surveillance system to detect and prevent any form of illegitimate activities on
our network systems.
 Regular security reviews of the systems from time to time.

BSN also take every effort in ensuring collaboration with major vendors/manufacturers to keep
abreast of information security technology developments, for possible and future
implementation.

In order to have a strong handle on data security issues that may potentially impact the
business, it is imperative to understand the relationships of three components. Through these
technical terms are used interchangeably, they are distinct terms with different meanings and
implications.
a) Threat – A new incident with a potential to harm a system or organization.
b) Vulnerability – Known weakness that hackers could exploit.
c) Risk - The potential for damage when a treat exploits a vulnerability.

The main challenge for the e-banking sector is the intensive use of information technology
applications related to the e-banking. This leads to threats of electronic security, cyber-attacks
on the profile of customers, embezzlement, fraud in terms of data messages, the
confidentiality of anti-theft customers, the secret of financial transactions.

They are several examples of TVR that might be present in this sector based on the study
reveals. 60% of bank managers agree that online identity theft has been identified by their
bank. While the attack through malicious code and a denial of service attack were agreed by
54% of the executives. In fact, the attacks inspired by Wikileaks against the main of e-
commerce sites fueled the interest of the fraudsters. The cases of hacking as well as credit
card fraud or ATM have also been identified or reported in banks. The sophistication of
phishing, vishing and spoofing attacks are also identified and confirmed by 76% of the bank's
executives. The phishing, the falsification, the hacking and the identity theft online are some
of the main challenges for banks. The main security threats or attacks of electronic banking
platforms are denial of service, illegitimate use, disclosure of information and repudiation. This
are two examples of types of attack that attacker may attempt to exploit the vulnerabilities
specific to the operating systems.

i. DOS  Denial-of-service attack is a cyber-attack where the perpetrator seeks to make

a machine or network resource unavailable to its intended users by temporarily or
indefinitely disrupting services of a host connected to the Internet. Denial of service is
typically accomplished by flooding the targeted machine or resource with superfluous
requests in an attempt to overload systems and prevent some or all legitimate requests
from being fulfilled
ii. Phishing  is an online identity theft, which attempts to steal sensitive information
such as username, password, and online banking details from its victims. This is a type
of semantic attack, in which attackers try to fool and steal money from legitimate
 Internet users sending e-mails rather than exploiting bugs in computer software. The
attacker creates a fraudulent web site which has the look-and-feel of the legitimate
website. Phishing e-mails employ a variety of tactics to trick people into disclosing their
confidential information such as usernames, passwords, national insurance numbers
and credit/debit card numbers.

Previous DNS server use by BSN is based on Microsoft DNS and the reliability of server does
not meet the quality they wanted. With more than 7 million customers and multiple e-banking
services, this translated to almost 70,000 query everyday. With the high volume of query
everyday, standard Microsoft DNS server would not stand a chance, causing the server need
to be rebooted once a week to refresh the DNS service.

Besides the unreliability of the DNS service, Microsoft DNS is plagued with many security
problems and malware attack. Without the comprehensive protection and advance security
hardening Microsoft DNS is waiting to be attacked by hackers and the likes. A simple DNS
attack can cause a serious effect to the reliability of other online services which depend to the
DNS.

Same issues also happen to the internal DNS server for BSN. To complicate the matters, the
internal DNS server is also the Active Directory server, which handle more service and the
reliability of the server is already critical. As we all know, Microsoft DNS does not have any
protection or High Availability for its DNS server. If one of the DNS server is down, the client
will take some time to change the DNS lookup to the secondary DNS server. The timeout
waiting for the resolving process to resolve to the secondary DNS server will definitely slow
down a lot of the work done by the BSN staff.

The solution with the problem that have plagued Microsoft DNS server is alleviated. The result
which are:

• Better response time and highest reliability for the DNS services.

• Advance DNS protection. With the advance DNS protection any hacker that tries to
attack DNSVault server will be automatically block for certain duration of time.
• Provide the best reliability and client does not experience any timeout issues.

2. Question 2

The biggest take away from the session with Mr Farisul Faris, Head Tech & Innovation Digital
Division Bank Muamalat Malaysia Berhad regarding the topic of Data Sharing in Financial
Technology Services is about cybersecurity. The PDPA list the security principles as one of
its data protection principles. Under this principle, an organisation must ensure both technical
and organisational security measures are well in place to safeguard the personally identifiable
information that it processes. The ISO/IEC 27001 Information Security Management System
(ISMS), an international standard, which deals with information technology systems risks such
as hacker attacks, viruses, malware and data theft, is the leading standard for cyber risk
management in Malaysia.
Digital transformation, of any sector, always present new challenges, especially for banks and
for financial services. To put it simply, revolutionising banks way of doing transactions means
overhauling their legacy systems including people, process, and technology.
Humans remain the weakest link. Customers, especially those which are not digitally native,
lack the proper awareness about the simplest risks like phishing and spam. Internal
employees require new training and third-party services should also be assessed
comprehensively.
Sectoral regulators such as BNM and the Securities Commission Malaysia have also been
actively tackling issues relating to cybersecurity in relation to their relevant sectors by issuing
guidelines and setting standards for compliance.
Financial services, as they transform and carry more data behind their back, should be looking
at adaptive approach in security which should be proactive rather than reactive – ready before
an attack happens.