Professional Documents
Culture Documents
Third-party services
Many banks and financial institutions use third-party services from other vendors to
serve their customers better. However, if these vendors don’t have a tight Cybersecurity
measure, then the bank that has employed them will be affected.
Phishing means the attempt to get sensitive information such as credit card details etc. for malicious activities by
disguising as a trustworthy entity in an electronic communication. Online banking phishing scams have evolved
continuously. They look to be genuine and real, but they fool you into giving away your access information.
• DNS Spoofing: DNS (Domain Name Service) spoofing is the process of poisoning
entries on a DNS server to redirect a targeted user to a malicious website under
attacker control
To protect from DNS spoofing, DNS providers can use DNSSEC (DNS security). When a domain
owner sets up DNS entries, DNSSEC adds a cryptographic signature to the entries required by
resolvers before they accept DNS lookups as authentic.
• Website spoofing: Website spoofing is the act of creating a website with the intention of
misleading readers that the website has been created by a different person or
organization. Normally, the spoof website will adopt the design of the target website, and
it sometimes has a similar URL
• Bank has engaged vendor for monitoring Anti-phishing and Anti-malware Services including Dark web
monitoring and Brand Image protection. They initiate process of taking down of such malicious website.
• User also has to be extra cautious while accessing the web site, and advised not to use search engine for
accessing the site primarily. A direct type in the browser and presence of https: goes a long way in
securing the data from a spoofing website.
• GPS spoofing: GPS spoofing happens when someone uses a radio transmitter to send a
counterfeit GPS signal to a receiver antenna to counter a legitimate GPS satellite signal.
Most navigation systems are designed to use the strongest GPS signal, and the fake signal
overrides the weaker but legitimate satellite signal.
• Spoofed calls: Call spoofing is when someone disguises their caller ID information to hide
who they really are. As of now in India, cross verification is the plausible solution.
22-09-2023 Information System Security Department 9
Spoofing Contd…
Spoofed emails:
Note that it's impossible to stop email spoofing because the Simple
Mail Transfer Protocol, which is the foundation for sending emails,
doesn't require any authentication. That's the vulnerability of the
technology. There are some additional countermeasures developed to
counter email spoofing. Like, DMARC, SPF & rDNS
In doing so, internet service providers (ISPs) can more effectively identify spammers
and prevent malicious emails from landing in consumer inboxes. DMARC also allows
ISPs to minimize false positives and provide better authentication reporting—vastly
improving transparency in the marketplace.
It’s also crucial to note that not all receiving servers will perform a DMARC check
before accepting a message, but all the major ISPs do—and implementation of
DMARC checks continues to grow.
22-09-2023 Information System Security Department 11
Spoofing Contd…
An SPF record identifies the mail servers and domains that are allowed
to send email on behalf of your domain. Receiving servers check your
SPF record to verify that incoming messages that appear to be from your
organization are sent from servers allowed by you. Domains can have
one SPF record.
The SPF (sender policy framework) mechanism uses the domain in the
return-path address to identify the SPF record. When a sender tries to
hand-off an email to an email “receiving” server for delivery, the server
checks to see if the sender is on the domain's list of allowed senders
22-09-2023 Information System Security Department 12
Spoofing Contd…
DKIM (DomainKeys Identified Mail) differs from SPF in that rather than
simply validating that the sending server is authorized to send mail for
the domain, it also validates that mail content has not changed since
being sent by the server.
• Now, let’s assume an email failed a DMARC check for whatever reason.
• DMARC lets one instruct the incoming server on what should happen to emails that fail
authentication.
• Three options are available (they’re referred to as “policies”):
• “none” – the email should be treated the same as if no DMARC was set up (the
message can still be delivered, put in spam, or discarded based on the other
factors). This is typically used to watch the environment and analyse the reports
without influencing deliverability.
• “quarantine” – allow the email but don’t deliver it to an inbox. Usually, such
messages go to the spam folder.
• “reject” – discard the email that failed the check right away.
• Finally, a receiving server will send reports for each failed DMARC verification with
aggregated data about unsuccessful checks. This is invaluable for analysing the
performance of your message and keeping you in the loop if any phishing scams occur
22-09-2023 Information System Security Department 15
Spoofing Contd…
DMARC Process Flow
rDNS: Reverse DNS (rDNS) is essentially a reverse IP lookup. It is a type of email authentication that is used to
match your mail server IP address to your hostname.
rDNS helps add credibility to the IP addresses sending emails and functions as an additional layer of email
authentication. It allows to separate legitimate mail servers from compromised email servers that are sending
spam.
01
Weak Identity
05 Challenges 02 and Access
Prevalent Management
Social
Relating to
Media Cyber
security in
digital
Banking
04 03
Mobile devices
and Apps Rise of Ransomware
GM GM GM GM
GM GM GM GM GM
GM GM GM GM GM ITD GM GM TMO
MSM Treas CISO Plan CCO GM INSP Reco KYC Corp CR Mid
Retail IBD Fin HR & DBD BOD RMD &
E ury ning v AML
BPR Crdt Mon Corp
DGM
AGM CM AGM CMs
IS Audit
at ISSD of ITD &
DBD
CGM
CISO
GM/DGM (DH) ITD
DGM
AGM, Chief Managers & officials AGM/ CM ITD
(ISSD)
Executive Director
CISO
DGM- ISSD
Chief Managers
(two)
Senior Managers
(five)
Forensic Specialist Officer C-SOC Team
(One) (Two) (Six)
22-09-2023 Information System Security Department 36
The major roles of the IS Security team are as follows:
• Formulate and disseminate information security policy for necessary approval by IT Strategy
Committee/Board.
• Ensure that security policy and standards are properly documented
• Chief Information Security Officer (CISO) will be responsible for the overall IS Security
Formulation based on the current threat vectors.
Details:
• Formulation & Review of Information Security Policy, Cyber Security Policy, Cyber Crisis
Management Plan. Enforcement & monitoring of the Policies
• Review of Cyber security arrangements and preparedness of the Bank and placing the same to
Board
• Overseeing the monitoring of Cyber Security Operation Centre (C-SOC) operations and driving
the cyber security related projects with ITD
• Coordinating the activities related to Cyber Security incident response mechanisms
• Providing CISO clearance for newly developed applications before roll out
• Analysis of VAPT
• Actively involved in VA Scan, Managing PIM access and Database activity monitoring (DAM)
and overall monitoring through SIEM
22-09-2023 Information System Security Department 37
Few Important Solutions of ISSD:
SIEM: (Security Information and Event Management) provides enterprise security by offering enterprise
visibility - the entire network of devices and apps. The software allows security teams to gain attacker
insights with threat rules derived from insight into attacker tactics, techniques and procedures (TTPs)
and known indicators of compromise (IOC)s. SIEM solutions allow organizations to efficiently collect
and analyze log data from all of their digital assets in one place, for analyse and implement more
effective security process.
The OWASP Top 10 is put out by the Open Web Application Security Project
(OWASP) Foundation. OWASP is a non-profit organization with a mission to
bolster software security across industries. To further that mission, OWASP
maintains and publicly shares the OWASP Top 10, an awareness document for
web application security vulnerabilities.
Spear phishing
Life Cycle
Important Points:
• Details diagram of the project/ application to be analysed with focus on data flow and
interaction between various component of the application. Diagram should consist of
the IPs, Locations (like DC/DR, MZ/DMZ etc.), OS and network connections.
• VA (Vulnerabilities Assessment) Scan done by ISSD (Using Rapid 7 Nexpose tool) and
shared with owner department. The vulnerabilities mentioned in the VA Scan reports to
be mitigated before the clearance.
• In case of all exceptions and acceptances of risk by the data owner and exceptions
approved by CISO shall be placed on a quarterly basis in the Information Security
Steering Committee.
• As propagation new OS/ Security patches give rise to new vulnerabilities, timeline for
remediation of vulnerabilities should be govern by page 298 para 6.10.1 of SOP on
Information System Security Policy (2022-23).
25 Whether SIEM has been integrated with all servers of the application
26 Whether DB Servers of the application are reporting to DAM
27 Whether the users login through PIM to access the servers
28 Whether AV is installed and upto date
29 Whether Internal VA Scan using VAS done for the servers. (Yes/No/Not Applicable)
If internal VA is done, any pending issues are existing (Yes/No) (If No, certificate of compliance to be enclosed) (If
30
Yes, letter from head of the user department to be provided with reason for non-compliance)
31 Whether Static Code Analyzer is used while coding (Applicable for Internally developed applications).
22-09-2023 Information System Security Department 54
The major roles of the IT Security Implementation team
(IT Infra Security) shall be as follows:
• Implementation of security solutions and processes as formulated by IS Security team.
• Managing the infra related to Information Security
• Providing technical assistance for trouble shooting, configuration of security devices etc.
Details: (Not Exhaustive)
• Managing firewall access and monitoring the health using firewall analyser
• Managing proxies for providing access to outside Internet from banks internal network
• Managing Antivirus (Symantec & McAfee) and Advance threat protection (ATP)
• Centralised patch management & Asset management
• Managing DLP software (Data loss prevention)
• Manage NAC (Network access control) and Network behaviour analysis.
• Managing Mobile device management (MDM) and Biometric devices
1 Security Incident IBM Security Information and Event Management (SIEM) is a security solution that aggregates and analyses
and Event activity from many resources across the entire IT infrastructure. SIEM collects security log data from
Management network devices, servers, firewalls, and more. SIEM stores, normalizes, aggregates, and applies
(SIEM) – QRadar analytics to that data in real time to discover trends, detect threats, build rules and enable
organizations to investigate alerts.
2 Privilege Identity Arcos PIM is an information security and governance tool, which helps to prevent system and data breaches
Management (PIM) through the improper use of privileged accounts. The management of privileged identities is
automated with various customized policies and workflows. PIM also tracks access to which account or
privilege given and the time periods the access was granted. The activities performed by the user –
including systems accessed and commands executed are monitored by PIM.
3 Vulnerability Rapid7 Vulnerability Assessment System is used to identify security vulnerabilities of servers and system in a
Assessment network in order to determine if and how a system can be exploited. Vulnerability scanning employs
Solution (VAS) software that seeks out security flaws based on a database of known flaws, testing systems for the
occurrence of these flaws and generating a report of the findings that an individual or an enterprise can
use to tighten the network's security.
4 Database Activity McAfee Database Activity Monitoring (DAM) is a Database Security tool for monitoring and analysing database
Monitoring (DAM) activity that operates independently of the Database Management system (DBMS). DAM monitors the
Solution activity of privileged users such as super users, Database Administrators (DBAs), system administrators.
5 Firewalls Checkpoint & Palo Alto A firewall is a network security device that monitors incoming and outgoing network traffic
In DC DR CO HO and decides whether to allow or block specific traffic based on a defined set of security
Fortinet in Treasury & rules. Firewalls have been a first line of defence in network security for over 25 years. They
CBS PO Mumbai establish a barrier between secured and controlled internal networks that can be trusted
Cisco in RTGS, SWIFT and untrusted outside networks, such as the Internet.
Centre Chennai
6 Web Application F5 To protect application level vulnerabilities and exploitation
Firewall (WAF)
7 Web ATP (Part of Palo Alto Detection of unknown threats over web which includes the definition based detection
Firewall)
This is included in
external firewalls in DC,
DR, CO and HO.
8 Anti-phishing and RSA Anti-phishing includes the number of techniques used to prevent phishing attacks such as
Anti-malware Content Filtering and Domain Binding.
Services including An anti-malware is software that protects the computer from malware such as spyware,
Dark web adware, and worms. It scans the Websites for all types of malicious software that manage
monitoring and to reach the computer. Antimalware Services are used to scan and check for the presence of
Brand Image malware, change in content and any vulnerability in Domains or URLs of the banks.
protection
9 Network CISCO NBA tools listen to IP traffic flow systems or network packets to establish a baseline of normal
Behaviour activity, and then look for network flow anomalies. This enables security and network
Analyser (NBA) managers to be alerted of any suspicious activity, which is outside of normal traffic flow so that
remedial action can be taken before any significant damage is done.
10 Network CISCO ISE Network Admission Control (NAC) solutions allow the PCs or ATMs to connect to the network
Admission Control by checking the compliance level of the machines requesting connection before permitting
(NAC) access to the network. NAC will help us to restrict unknown devices being connected directly to
our network by placing the network switch interface by default in blocking mode and port will
open only if device match the network compliance.
11 Network Intrusion CISCO Firepower It is combination of hardware and software systems that protect computer networks from
Prevention System malicious activity. It continually monitors an organization's computer networks for abnormal
(NIPS) traffic patterns, generating event logs, alerting system administrators to significant events and
stopping potential intrusions when possible
12 Authentication CISCO To have proper authentication and authorisation of users and monitoring their activities, used
Authorisation for network device AAA.
Accounting (AAA)
13 SSL Decryptor Radware Solution provides a simple one-box solution for offloading traffic encryption /decryption
(Part of load processing for both inbound & outbound traffic.
balancer)
14 Proxy Server to McAfee & Sophos Web proxy is used by staff to securely browse internet for business requirements from bank
access internet (for branches) network.
Forcepoint (for
Admin Offices)
22-09-2023 Information System Security Department 58
Cyber Security Solutions implemented Contd….
S.No. Solution Name Product OEM Purpose
15 Web Data Leak McAfee Data Leakage Prevention (DLP) is a strategy that ensures end users do not send confidential
Prevention (DLP) (for branches) or sensitive information outside of the enterprise network. Data leakage prevention
software detects potential data breaches/data ex-filtration transmissions and prevents
Forcepoint Network DLP them by monitoring, detecting and blocking sensitive data while in motion.
(for branches & Admin
offices)
16 Anti Virus and McAfee and Symantec EDR solution is used to detect behavioural and passing through sandboxing of unknown
Endpoint threats which includes the definition based detection.
Detection
Response (EDR)
/Advanced
Persistent Threat
(APT)
17 Host Intrusion Trend Micro To protect the system from malware and application level vulnerability
Prevention System
(HIPS)
18 Endpoint Data Force point Data Leakage Prevention (DLP) is a strategy that ensures end users do not share
Leak Prevention Endpoint DLP confidential or sensitive information outside of the enterprise network. Data leakage
(DLP) prevention software detects potential data breaches/data ex-filtration transmissions and
prevents them by monitoring, detecting and blocking sensitive data while in use and in
motion.
21 Algosec (Firewall Algosec Firewall Analyzer analysis complex network security policies in firewalls and policies
Analyser) recommendations for improving the configuration. It automates and simplifies security
operations including troubleshooting, auditing, and risk analysis. Using Firewall Analyzer, it is
possible to optimize the configuration of firewalls, ensure security and compliance.
22 Virtual Private Pulse Secure VPN connectivity is used to access Bank’s system from Home in secured way. The same is used
Network (VPN) to provide Work from Home facilities to Bank Officials and vendor representatives as per
requirement
23 Active Directory Microsoft AD used to enable administrators to manage permissions and control access to network
resources
24 Asset Management Microfocus Asset management tools allow a complete view of an asset, including costs, utilisation and
Tools return on investment.
31 Malicious IP New Solution To have dedicated solution to block malicious IPs and URLs as per advisories to reduce
Blocking proposed Firewall Load
32 Information Rights New Solution To ensure that the data shared can be accessed and seen only by authorised personnel by
Management (IRM) proposed the data owner.
CERT-In (Computer Emergency Response Team - India) has been designated to serve as the national agency
to perform the following functions in the area of cyber security: Collection, analysis and dissemination of
information on cyber incidents. Forecast and alerts of cyber security incidents. Emergency measures for handling
cyber security incidents.
CERT-IN was formed in 2004 by the Government of India under Information Technology Act, 2000 Section (70B)
under the Ministry of Communications and Information Technology. In December 2013, CERT-In reported there
was a rise in cyber attacks on Government organisations like banking and finance, oil and gas and emergency
services. It issued a list of security guidelines to all critical departments. It liaisons with the Office of National
Cyber Security Coordinator, National Security Council and National Information Board in terms of the nation's
cyber security and threats. As a nodal entity, India’s Computer Emergency Response Team (CERT-in) plays a
crucial role under the Ministry of Electronics and Information Technology (MeitY).
The Computer Emergency Response Team (CERT) is a group formed in 1998 by the U.S. Defence Advanced Research
Projects Agency — and coordinated through Carnegie Mellon University's Software Engineering Institute (SEI) — to research
and report on Internet-related security problems
National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government
of India created under Sec 70A of the Information Technology Act, 2000 (amended 2008), through a gazette
notification on 16th Jan 2014 Based in New Delhi, India. NCIIPC maintains a 24x7 Help Desk to facilitate
reporting of incidents. Toll Free No. 1800-11-4430. Issues advisories or alerts and provide guidance and
expertise-sharing in addressing the threats/vulnerabilities for protection of CII (Critical Information Infrastructure)
which constitutes assets (real/virtual), networks, systems, processes, information, and functions that are vital to
the nation such that their incapacity or destruction would have a devastating impact on national security, the
economic and social well-being of citizens.
What is CII
Critical Information Infrastructure (CII)
constitutes assets (real/virtual), networks,
systems, processes, information, and
functions that are vital to the nation such
that their incapacity or destruction would
have a devastating impact on national
security, the economic and social well-
being of citizens.