D2-S1-Cybersecurity in Banking Threats, Challenges and Solutions

Cybersecurity in Digital Banking:
Threats, Challenges and Solution
22-09-2023 Information System Security Department 1

Threats for Cyber Security in Banking

Unencrypted data
It is one of the common threats faced by the banks where the data is left unencrypted,
and hackers or cybercriminals use the data right away, thereby creating severe issues
for the Bank. All data that is stored on computers in financial institutions or online must
be fully encrypted. It will ensure that even if your data is stolen, cybercriminals may not
be able to use them.
Third-party services
Many banks and financial institutions use third-party services from other vendors to
serve their customers better. However, if these vendors don’t have a tight Cybersecurity
measure, then the bank that has employed them will be affected.

Malware
End to end-user devices like computers and mobile devices are mostly used for conducting digital transactions;
therefore, it must be secured. If it is compromised with malware, then it may pose a serious risk to the bank’s
Cybersecurity whenever they connect with your network. Sensitive data passes through this network, and if the user
device has malware installed in it without any security that malware can pose a serious threat to your bank’s
network

Phishing
Phishing means the attempt to get sensitive information such as credit card details etc. for malicious activities by
disguising as a trustworthy entity in an electronic communication. Online banking phishing scams have evolved
continuously. They look to be genuine and real, but they fool you into giving away your access information.

Spear Phishing:
Spear phishing is a targeted cyberattack toward a specific individual or organisation with the
end goal of receiving confidential information for fraudulent purposes
What is Spear Phishing Difference of Spear Phishing & Phishing

Spoofing:
This is one of the newest forms of cyber threats faced by banks. The cybercriminals will impersonate a banking
website’s URL with a website that is similar to the original one and functions the same way and when the user
enters his or her login credentials that login credentials are stolen by these criminals and use it later.
This cyber threat has gone to the next level where new spoofing techniques have been employed by these
criminals. In this, they use a similar URL and target users who visit the correct URL.

Spoofing Contd…
Spoofing can take many forms, such as:
• IP spoofing: IP address spoofing is the act of falsifying the content in the Source IP
header, usually with randomized numbers, either to mask the sender's identity or
to launch a reflected DDoS attack.
To help prevent IP spoofing, VPN is used to hide IP address. Network is monitored for suspicious
activity with firewall, which uses a packet filter that inspects IP packet headers. Visit secure sites
that use HTTPS protocol, with help of Proxy and ensure use of strong passwords.
• DNS Spoofing: DNS (Domain Name Service) spoofing is the process of poisoning
entries on a DNS server to redirect a targeted user to a malicious website under
attacker control
To protect from DNS spoofing, DNS providers can use DNSSEC (DNS security). When a domain
owner sets up DNS entries, DNSSEC adds a cryptographic signature to the entries required by
resolvers before they accept DNS lookups as authentic.

Spoofing Contd…
Spoofing can take many forms, such as:
• Website spoofing: Website spoofing is the act of creating a website with the intention of
misleading readers that the website has been created by a different person or
organization. Normally, the spoof website will adopt the design of the target website, and
it sometimes has a similar URL
• Bank has engaged vendor for monitoring Anti-phishing and Anti-malware Services including Dark web
monitoring and Brand Image protection. They initiate process of taking down of such malicious website.
• User also has to be extra cautious while accessing the web site, and advised not to use search engine for
accessing the site primarily. A direct type in the browser and presence of https: goes a long way in
securing the data from a spoofing website.
• GPS spoofing: GPS spoofing happens when someone uses a radio transmitter to send a
counterfeit GPS signal to a receiver antenna to counter a legitimate GPS satellite signal.
Most navigation systems are designed to use the strongest GPS signal, and the fake signal
overrides the weaker but legitimate satellite signal.
• Spoofed calls: Call spoofing is when someone disguises their caller ID information to hide
who they really are. As of now in India, cross verification is the plausible solution.
Spoofing Contd…
Spoofed emails:
Email spoofing is a threat that involves sending email messages with a

fake sender address. Email protocols cannot, on their own, authenticate
the source of an email. Therefore, it is relatively easy for a spammer or
other malicious actors to change the metadata of an email.
Note that it's impossible to stop email spoofing because the Simple
Mail Transfer Protocol, which is the foundation for sending emails,
doesn't require any authentication. That's the vulnerability of the
technology. There are some additional countermeasures developed to
counter email spoofing. Like, DMARC, SPF & rDNS

Spoofing Contd…
DMARC: Domain-based Message Authentication, Reporting &

Conformance or DMARC is an email security measure that protects your
domain against hacker attacks.
DMARC enables email senders to specify how to handle emails authenticated using
SPF & DKIM. These senders can then opt to send those emails to the junk folder or
block them altogether.
In doing so, internet service providers (ISPs) can more effectively identify spammers
and prevent malicious emails from landing in consumer inboxes. DMARC also allows
ISPs to minimize false positives and provide better authentication reporting—vastly
improving transparency in the marketplace.
It’s also crucial to note that not all receiving servers will perform a DMARC check
before accepting a message, but all the major ISPs do—and implementation of
DMARC checks continues to grow.
Spoofing Contd…
SPF: Sender Policy Framework uses a DNS entry to specify a list of

servers that are allowed to send email for a specific domain.
An SPF record identifies the mail servers and domains that are allowed
to send email on behalf of your domain. Receiving servers check your
SPF record to verify that incoming messages that appear to be from your
organization are sent from servers allowed by you. Domains can have
one SPF record.
The SPF (sender policy framework) mechanism uses the domain in the
return-path address to identify the SPF record. When a sender tries to
hand-off an email to an email “receiving” server for delivery, the server
checks to see if the sender is on the domain's list of allowed senders
Spoofing Contd…
DKIM (DomainKeys Identified Mail) is a protocol that allows an

organization to take responsibility for transmitting a message by signing
it in a way that mailbox providers can verify. DKIM record verification is
made possible through cryptographic authentication
DKIM (DomainKeys Identified Mail) differs from SPF in that rather than
simply validating that the sending server is authorized to send mail for
the domain, it also validates that mail content has not changed since
being sent by the server.

Spoofing Contd…
For DMARC to be in working order it requires either an SPF record or a DKIM record – or, better, both of them – to
be set. Then the it is on the following track:
• When an email is received, a receiving server does a DNS (Domain Name System) lookup and checks if there’s an
existing DMARC record
• DKIM/SPF is performed as usual
• The receiving server then performs a so-called “DMARC alignment test” to verify if:
• In the case of SPF, the “envelope from” email address within the hidden technical header of the email
matches the “return-path” address. In other words, it checks if the email address the message was sent from
is the same as the address a potential reply would go to.
• In the case of DKIM, the value behind the “d” tag (email sender’s domain) matches the domain the email was
sent from.
• Of course, if both authentications are set up, both alignment tests are performed.
• The alignment requirements can be “strict” (the domains need to precisely match) or “relaxed” (base domains
need to match, but different subdomains are allowed).
• DMARC will succeed in the following scenarios:
• If only one of the authentications is set up, its check must be successful, along with a respective alignment
test.
• If both authentications are set up, one of them needs to be successful with the respective alignment test, but
both are not required.
• DMARC will still succeed even if, e.g., DKIM along with DKIM alignment fails, but SPF and its alignment succeed (or
the other way around).
Spoofing Contd…
• Now, let’s assume an email failed a DMARC check for whatever reason.
• DMARC lets one instruct the incoming server on what should happen to emails that fail
authentication.
• Three options are available (they’re referred to as “policies”):
• “none” – the email should be treated the same as if no DMARC was set up (the
message can still be delivered, put in spam, or discarded based on the other
factors). This is typically used to watch the environment and analyse the reports
without influencing deliverability.
• “quarantine” – allow the email but don’t deliver it to an inbox. Usually, such
messages go to the spam folder.
• “reject” – discard the email that failed the check right away.
• Finally, a receiving server will send reports for each failed DMARC verification with
aggregated data about unsuccessful checks. This is invaluable for analysing the
performance of your message and keeping you in the loop if any phishing scams occur
Spoofing Contd…
DMARC Process Flow

Spoofing Contd…
SPF DKIM Checking in DMARC

Spoofing Contd…
rDNS: Reverse DNS (rDNS) is essentially a reverse IP lookup. It is a type of email authentication that is used to
match your mail server IP address to your hostname.
rDNS helps add credibility to the IP addresses sending emails and functions as an additional layer of email
authentication. It allows to separate legitimate mail servers from compromised email servers that are sending
spam.

Spoofing Contd…
What user can check:

Spoofing Contd…

Spoofing Contd…

Challenges relating to Cybersecurity in digital banking
Lack of Awareness
01
Weak Identity
05 Challenges 02 and Access
Prevalent Management
Social
Relating to
Media Cyber
security in
digital
Banking
04 03
Mobile devices
and Apps Rise of Ransomware

Lack of Awareness
Awareness among the people regarding the Cybersecurity has been
quite low, and not many firms invest in training and improving the
overall Cybersecurity awareness among the people. Banks main
interaction points are customers and vendors, where awareness is
needed.
Weak Identity and Access Management

Identity and access management has been the fundamental element of
Cybersecurity and especially in these times when the hackers have the
upper hand; it may require only one hacked credential to enter into an
enterprise network. There has been a slight improvement in this regard,
but still, a lot of work remains to be done in this area. 2FA is absolute
must for a financial organisation like bank.
Rise of Ransomware
The recent events of malware attacks bring our focus to rising menace of
ransomware. Cybercriminals are starting to use methods that avoid them
to be detected by endpoint protection code that focuses on executable
files.
Mobile devices and Apps
Most of the banking institutions have adopted mobile phones as a medium
to conduct business. As the base increases each day, it also becomes the
ideal choice for exploiters. Mobile phones have become an attractive target
for hackers as we see a rise in mobile phone transactions.
Social Media
Adoption of social media has led to hackers to exploit even more. Less
aware customers put out their data for anyone to see which is exploited by
the attackers. This results in loss of customer and intangible loss of bank.
The primary purpose of Cybersecurity in digital banking is to protect the customer's
assets. As people go cashless, more and more activities or transactions are done
online.
People use their digital money like credit cards and debit cards for transactions which
require to be protected under Cybersecurity.
What is user awareness in cyber security?

User security awareness, typically a component of a company's security policy,
includes educating and testing employees to help protect your business against
cybercrimes, including phishing and other social-engineering attacks.
Why is cyber security awareness important?

When an enterprise's employees are cyber security aware, it means they understand
what cyber threats are, the potential impact a cyber-attack will have on their
business and the steps required to reduce risk and prevent cyber-crime infiltrating
their online workspace.
While we focus our attention to technology, we should not miss one
important component: User
Internal (Mainly Employee, Vendor) & External (Mainly Customer) to

the organisation based on various privilege
More the privilege more the risk. More precaution is needed.
As employee, having very high privileges, bank employees are more
prone and vulnerable to outside attack and can be cause of extreme
damage to the organisation, occasionally by being mala fide, most often
by being ignorant.
Resulting a need of user awareness, and education for the user.

YOU are most important in security
• Please be aware that you are a target to hackers
• Don't ever say, "It won't happen to me." We are all at risk and the stakes are
high - both for your personal and financial well-being and for the bank's
standing and reputation.
• Cybersecurity is everyone's responsibility.
• By following few tips and by remain vigilant, you help doing your part to
protect yourself and others.
• Please remember that most vulnerable part of Cyber security is human, and
security is as strong as its weakest link

User responsibilities

Avoid Phishing scams - beware of suspicious emails and phone calls
Phishing scams are a constant threat - using various social engineering ploys, cyber-criminals
will attempt to trick you into divulging personal information such as your login ID and password,
banking or credit card information.
Phishing scams can be carried out by phone, text, or through social networking sites - but most
commonly by email.
Be suspicious of any official-looking email message or phone call that asks for personal or
financial information
Be careful what you click

Avoid visiting unknown websites or downloading software from untrusted sources. These sites
often host malware that will automatically install (often silently) and compromise your
computer.
Practice good password management

We all have too many passwords to manage - and it's easy to take short-cuts, like reusing the
same password. Password should be easy to understand and difficult to guess at the same
time.
Never leave devices unattended
The physical security of your devices is just as important as their technical security.
If you need to leave your laptop, phone, or tablet for any length of time - lock it up so
no one else can use it.
For desktop computers, lock your screen or shut-down the system when not in use.
Safeguard Protected Data

Be aware of Protected Data that you come into contact with and its associated
restrictions. In general:
Avoid keeping high-level Protected Data (e.g., Aadhaar, credit card information,
customer PII, health information, etc.) off of your workstation, laptop, or mobile
devices.
Securely remove sensitive data files from your system when they are no longer
needed.
Update the installed antivirus/ anti-malware protection
Keep virus definitions, engines and software up-to-date to ensure
your programs remains effective. Most of the time it will be
automatic in bank’s scenario. Still an eye on the same will help.
Back up your data

Back up regularly - if you are a victim of a security incident, the
only guaranteed way to repair your computer is to erase and re-
install the system. Try to keep your latest files in email.

Use OWN mobile devices safely
Considering how much we rely on our mobile devices and how susceptible they
are to attack, you'll want to make sure you are protected:
• Lock your device with a PIN or password - and never leave it unprotected in
public.
• Only install apps from trusted sources (Apple AppStore, Google Play).
• Keep the device's operating system up-to-date.
• Don't click on links or attachments from unsolicited emails or texts.
• Avoid transmitting or storing personal information on the device.
• Most handheld devices are capable of employing data encryption - consult
your device's documentation for available options.
Use Apple's Find my iPhone or the Android Device Manager tools to help
prevent loss or theft.

ISSD & What ISSD Does

Compliance Hierarchy of Information Systems Security Policy
Managing Director & CEO
Executive Director 1 Executive Director 2 Executive Director 3 Executive Director 4
CGM Level CGM Level
GM GM GM GM
GM GM GM GM GM
GM GM GM GM GM ITD GM GM TMO
MSM Treas CISO Plan CCO GM INSP Reco KYC Corp CR Mid
Retail IBD Fin HR & DBD BOD RMD &
E ury ning v AML
BPR Crdt Mon Corp
DGM
AGM CM AGM CMs
IS Audit
at ISSD of ITD &
DBD

Information System Security Setup
Managing Director &
CEO
Executive Director AC Executive Director MKB
CGM
CISO
GM/DGM (DH) ITD
DGM
AGM, Chief Managers & officials AGM/ CM ITD
(ISSD)
Security Operation Centre IT Infra security Operations

Department Organogram
Executive Director
CISO
DGM- ISSD
Assistant General Manager
Chief Managers
(two)
Senior Managers
(five)
Forensic Specialist Officer C-SOC Team
(One) (Two) (Six)
The major roles of the IS Security team are as follows:
• Formulate and disseminate information security policy for necessary approval by IT Strategy
Committee/Board.
• Ensure that security policy and standards are properly documented
• Chief Information Security Officer (CISO) will be responsible for the overall IS Security
Formulation based on the current threat vectors.
Details:
• Formulation & Review of Information Security Policy, Cyber Security Policy, Cyber Crisis
Management Plan. Enforcement & monitoring of the Policies
• Review of Cyber security arrangements and preparedness of the Bank and placing the same to
Board
• Overseeing the monitoring of Cyber Security Operation Centre (C-SOC) operations and driving
the cyber security related projects with ITD
• Coordinating the activities related to Cyber Security incident response mechanisms
• Providing CISO clearance for newly developed applications before roll out
• Analysis of VAPT
• Actively involved in VA Scan, Managing PIM access and Database activity monitoring (DAM)
and overall monitoring through SIEM
Few Important Solutions of ISSD:
SIEM: (Security Information and Event Management) provides enterprise security by offering enterprise
visibility - the entire network of devices and apps. The software allows security teams to gain attacker
insights with threat rules derived from insight into attacker tactics, techniques and procedures (TTPs)
and known indicators of compromise (IOC)s. SIEM solutions allow organizations to efficiently collect
and analyze log data from all of their digital assets in one place, for analyse and implement more
effective security process.

SIEM Contd……

PIM/ PAM: (Privileged identity/ access management) gives users the ability to control, manage, and
monitor the access privileges that people have to crucial resources within an organization. PIM monitor
and protect super user and other critical accounts in an organization's IT environments. Oversight is
necessary so that the greater access abilities of super control accounts are not misused or abused.

DAM: (Database Activity Monitoring) is the process of observing, identifying and reporting a database's activities.
Database activity monitoring tools use real-time security technology to monitor and analyze configured activities
independently and without relying on the DBMS auditing or logs. It is an important tool used to support the ability
to identify and report on fraudulent, illegal or other undesirable behavior

VAS: (Vulnerability access scanning) is an inspection of the potential points of exploit on a computer or network to
identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and
communications equipment and predicts the effectiveness of countermeasures. A VAS scans computer and
network security systems and compares gathered data with compilations of standards to spot weaknesses in
security configurations. A VAS usually runs periodically and produces reports.

Servers are also scanned every quarter of half year based on criticality, as a part of
continuous assessment by external auditor.

OWASP Framework:
The OWASP Top 10 is a standard awareness document for developers and web
application security. It represents a broad consensus about the most critical
security risks to web applications. Globally recognized by developers as the first
step towards more secure coding.
The OWASP Top 10 is put out by the Open Web Application Security Project
(OWASP) Foundation. OWASP is a non-profit organization with a mission to
bolster software security across industries. To further that mission, OWASP
maintains and publicly shares the OWASP Top 10, an awareness document for
web application security vulnerabilities.

OWASP Framework:
For each ranking period, OWASP collects application data from a variety of sources and conducts
a survey to gather important information about the top vulnerabilities developers encounter but that
may not be expressed in the application data received. These are usually trends developers
observe that may have the potential to cause damage. Submitted web application data and survey
results are used together to rank the top ten security vulnerabilities, presently are as follows:
1. Broken access control
2. Cryptographic failures
3. Injection
4. Insecure design
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10.Server-side request forgery (SSRF) Details

Spear Phishing Simulation:
Phishing simulations are imitations of real-world phishing emails organizations can send to employees to test online behavior and assess knowledge levels regarding
phishing attacks. As part of a wider security awareness training program this teaches users how to find the warning signs of a malicious email. The simulation then tests
what users have learned, appearing as a new email in their inbox
Spear phishing
Life Cycle

Spear phishing Life Cycle


Deception Technology, counter
response & honeypot services:
Bank use this technology which

can detect, analyse, and defend
against advanced attacks, often
in real time. The aim of
Deception/ Decoy/ Honeypot
technology is to prevent a
cybercriminal who has managed
to infiltrate a network from doing
any significant damage.
The technology works by

generating traps or deception
decoys that mimic legitimate
technology assets throughout the
infrastructure.

Security By Design Approach

Points to consider before providing CISO clearance for newly developed applications before
roll out: For details, please refer Page 102 of SOP on Information System Security Policy (2022-23)
Important Points:
• Owner Department to raise signed, fully filled up CISO clearance form
• As applicable NPPAC, ORMC sanction to be provided.
• Before starting the actual project, user department should get approval from the Enterprise
Architecture Approval Committee for the feasibility of the proposed architecture in Banks
environment. Suggested changes, if any, to be incorporated in revised architecture.
• UAT signoff to be provided.
• Web Application/ Mobile application Security Assessment report by External agencies (VAPT) to
be done by user department in consultation with Inspection Department. Accepted when there is
zero vulnerabilities or exceptions
• Dynamic Code Testing done by ISSD using Micro focus Web Inspect Fortify tool. Accepted when
there is zero vulnerabilities or exceptions
• In case application develops in house, development team should use Static code analyser, while
developing.
• In case of application develop externally, the vendor should provide either Audit Certificate OR a
certificate on the following line: The product is built in a secure manner and the product/
version/module(s) functions only in a manner that it is intended to do. The application is free from
known vulnerabilities, malware and doesn’t have any covert channels in the code. The application
is developed as per the best secure design/ coding practices and standards."
Points to consider before providing CISO clearance for newly developed applications
before roll out continued….
Important Points:
• Details diagram of the project/ application to be analysed with focus on data flow and
interaction between various component of the application. Diagram should consist of
the IPs, Locations (like DC/DR, MZ/DMZ etc.), OS and network connections.
• VA (Vulnerabilities Assessment) Scan done by ISSD (Using Rapid 7 Nexpose tool) and
shared with owner department. The vulnerabilities mentioned in the VA Scan reports to
be mitigated before the clearance.
• In case of all exceptions and acceptances of risk by the data owner and exceptions
approved by CISO shall be placed on a quarterly basis in the Information Security
Steering Committee.
• As propagation new OS/ Security patches give rise to new vulnerabilities, timeline for
remediation of vulnerabilities should be govern by page 298 para 6.10.1 of SOP on
Information System Security Policy (2022-23).

Formats of CISO Clearance form (Latest one having 31 points)
Sub: CISO Clearance for New/Existing: New
1 Name of the Project/Application
2 Whether internally developed/procured from vendor

Name of the vendor (if internally developed, please mention the name of the department developed the
3
application)
4 User Department requested for this project
5 Type of project : (Financial transaction related / Administration or operations oriented)
6 If financial, average number of transactions expected per day (approximate)
7 If financial, average value of transactions expected per day (approximate)
8 Criticality of the application as per the above BIA High/Medium/Low
9 Hosting of the application (please mention the application is public facing/internal/cloud)
10 Purpose of the application
11 Approx. Volume of the Transactions/operations expected.
12 What is the current scenario before this software development (brief description required)
13 Details of the project (Process or Transaction Flow/Network Architecture to be annexed)

14 User Department Coordinating Officer
15 User Department Contact Number of the officer

Formats of CISO Clearance form
16 User Department Email ID for contact
17 Approval by ORMC obtained (Yes/No/Not Applicable)
18 User Acceptance Testing (UAT) of software completed (Yes/No/Not Applicable)
19 VA/PT audit of software completed ( (Yes/No/Not Applicable))
If VA/PT is done, any pending issues are existing (Yes/No) (If No, certificate of compliance from auditors to be
20
enclosed)(If Yes, letter from head of the user department to be provided with reason for non-compliance)
21 Business Continuity Plan (BCP)/Disaster Recovery (DR) availability for the application
Reconciliation Process, if any required and its availability (Yes/No) (if Yes, please mention the type of settlement as
22
T+1, T+0 etc)
23 URL/sdk files of the application to be hosted
Web APP DB
24 IP & OS Details of servers of the application Server Server Server
25 Whether SIEM has been integrated with all servers of the application
26 Whether DB Servers of the application are reporting to DAM
27 Whether the users login through PIM to access the servers
28 Whether AV is installed and upto date
29 Whether Internal VA Scan using VAS done for the servers. (Yes/No/Not Applicable)
If internal VA is done, any pending issues are existing (Yes/No) (If No, certificate of compliance to be enclosed) (If
30
Yes, letter from head of the user department to be provided with reason for non-compliance)
31 Whether Static Code Analyzer is used while coding (Applicable for Internally developed applications).
The major roles of the IT Security Implementation team
(IT Infra Security) shall be as follows:
• Implementation of security solutions and processes as formulated by IS Security team.
• Managing the infra related to Information Security
• Providing technical assistance for trouble shooting, configuration of security devices etc.
Details: (Not Exhaustive)
• Managing firewall access and monitoring the health using firewall analyser
• Managing proxies for providing access to outside Internet from banks internal network
• Managing Antivirus (Symantec & McAfee) and Advance threat protection (ATP)
• Centralised patch management & Asset management
• Managing DLP software (Data loss prevention)
• Manage NAC (Network access control) and Network behaviour analysis.
• Managing Mobile device management (MDM) and Biometric devices

Cyber Security Solutions implemented
S.No. Solution Name Product OEM Purpose
1 Security Incident IBM Security Information and Event Management (SIEM) is a security solution that aggregates and analyses
and Event activity from many resources across the entire IT infrastructure. SIEM collects security log data from
Management network devices, servers, firewalls, and more. SIEM stores, normalizes, aggregates, and applies
(SIEM) – QRadar analytics to that data in real time to discover trends, detect threats, build rules and enable
organizations to investigate alerts.
2 Privilege Identity Arcos PIM is an information security and governance tool, which helps to prevent system and data breaches
Management (PIM) through the improper use of privileged accounts. The management of privileged identities is
automated with various customized policies and workflows. PIM also tracks access to which account or
privilege given and the time periods the access was granted. The activities performed by the user –
including systems accessed and commands executed are monitored by PIM.
3 Vulnerability Rapid7 Vulnerability Assessment System is used to identify security vulnerabilities of servers and system in a
Assessment network in order to determine if and how a system can be exploited. Vulnerability scanning employs
Solution (VAS) software that seeks out security flaws based on a database of known flaws, testing systems for the
occurrence of these flaws and generating a report of the findings that an individual or an enterprise can
use to tighten the network's security.
4 Database Activity McAfee Database Activity Monitoring (DAM) is a Database Security tool for monitoring and analysing database
Monitoring (DAM) activity that operates independently of the Database Management system (DBMS). DAM monitors the
Solution activity of privileged users such as super users, Database Administrators (DBAs), system administrators.

Cyber Security Solutions implemented Contd….
5 Firewalls Checkpoint & Palo Alto A firewall is a network security device that monitors incoming and outgoing network traffic
In DC DR CO HO and decides whether to allow or block specific traffic based on a defined set of security
Fortinet in Treasury & rules. Firewalls have been a first line of defence in network security for over 25 years. They
CBS PO Mumbai establish a barrier between secured and controlled internal networks that can be trusted
Cisco in RTGS, SWIFT and untrusted outside networks, such as the Internet.
Centre Chennai
6 Web Application F5 To protect application level vulnerabilities and exploitation
Firewall (WAF)
7 Web ATP (Part of Palo Alto Detection of unknown threats over web which includes the definition based detection
Firewall)
This is included in
external firewalls in DC,
DR, CO and HO.
8 Anti-phishing and RSA Anti-phishing includes the number of techniques used to prevent phishing attacks such as
Anti-malware Content Filtering and Domain Binding.
Services including An anti-malware is software that protects the computer from malware such as spyware,
Dark web adware, and worms. It scans the Websites for all types of malicious software that manage
monitoring and to reach the computer. Antimalware Services are used to scan and check for the presence of
Brand Image malware, change in content and any vulnerability in Domains or URLs of the banks.
protection

9 Network CISCO NBA tools listen to IP traffic flow systems or network packets to establish a baseline of normal
Behaviour activity, and then look for network flow anomalies. This enables security and network
Analyser (NBA) managers to be alerted of any suspicious activity, which is outside of normal traffic flow so that
remedial action can be taken before any significant damage is done.
10 Network CISCO ISE Network Admission Control (NAC) solutions allow the PCs or ATMs to connect to the network
Admission Control by checking the compliance level of the machines requesting connection before permitting
(NAC) access to the network. NAC will help us to restrict unknown devices being connected directly to
our network by placing the network switch interface by default in blocking mode and port will
open only if device match the network compliance.
11 Network Intrusion CISCO Firepower It is combination of hardware and software systems that protect computer networks from
Prevention System malicious activity. It continually monitors an organization's computer networks for abnormal
(NIPS) traffic patterns, generating event logs, alerting system administrators to significant events and
stopping potential intrusions when possible
12 Authentication CISCO To have proper authentication and authorisation of users and monitoring their activities, used
Authorisation for network device AAA.
Accounting (AAA)
13 SSL Decryptor Radware Solution provides a simple one-box solution for offloading traffic encryption /decryption
(Part of load processing for both inbound & outbound traffic.
balancer)
14 Proxy Server to McAfee & Sophos Web proxy is used by staff to securely browse internet for business requirements from bank
access internet (for branches) network.
Forcepoint (for
Admin Offices)
15 Web Data Leak McAfee Data Leakage Prevention (DLP) is a strategy that ensures end users do not send confidential
Prevention (DLP) (for branches) or sensitive information outside of the enterprise network. Data leakage prevention
software detects potential data breaches/data ex-filtration transmissions and prevents
Forcepoint Network DLP them by monitoring, detecting and blocking sensitive data while in motion.
(for branches & Admin
offices)
16 Anti Virus and McAfee and Symantec EDR solution is used to detect behavioural and passing through sandboxing of unknown
Endpoint threats which includes the definition based detection.
Detection
Response (EDR)
/Advanced
Persistent Threat
(APT)
17 Host Intrusion Trend Micro To protect the system from malware and application level vulnerability
Prevention System
(HIPS)
18 Endpoint Data Force point Data Leakage Prevention (DLP) is a strategy that ensures end users do not share
Leak Prevention Endpoint DLP confidential or sensitive information outside of the enterprise network. Data leakage
(DLP) prevention software detects potential data breaches/data ex-filtration transmissions and
prevents them by monitoring, detecting and blocking sensitive data while in use and in
motion.

19 Data Classification Titus Data classification is broadly defined as the process of organizing data by relevant categories
Titus so that it may be used and protected more efficiently. The data classification process makes
data easier to locate and retrieve. Data classification is for risk management, compliance, and
data security.
20 Mobile Device VmWare Workspace One Mobile Device Management (MDM) solution is used to configure the devices used by
Management employees to protect the business data and to remotely lock lost or stolen devices.
(MDM)
21 Algosec (Firewall Algosec Firewall Analyzer analysis complex network security policies in firewalls and policies
Analyser) recommendations for improving the configuration. It automates and simplifies security
operations including troubleshooting, auditing, and risk analysis. Using Firewall Analyzer, it is
possible to optimize the configuration of firewalls, ensure security and compliance.
22 Virtual Private Pulse Secure VPN connectivity is used to access Bank’s system from Home in secured way. The same is used
Network (VPN) to provide Work from Home facilities to Bank Officials and vendor representatives as per
requirement
23 Active Directory Microsoft AD used to enable administrators to manage permissions and control access to network
resources
24 Asset Management Microfocus Asset management tools allow a complete view of an asset, including costs, utilisation and
Tools return on investment.

25 Service Desk/ SMAX A tool used to track IT service requests, events, incidents, and alerts that might require
Ticketing Tool additional action from IT
26 Software Testing Microfocus (Nexpose Software Testing SAST (Static application security testing) & DAST (Dynamic Application
Solution application) security testing). Static code analysis is a form of white-box testing that can help identify
security issues in source code. On the other hand, dynamic code analysis is a form of black-
box vulnerability scanning that allows software teams to scan running applications and
identify vulnerabilities.
27 Deception ZScaler Deception technology is a category of cybersecurity solutions that detect threats early with
Technology low rates of false positives. The technology deploys realistic decoys (e.g., domains,
databases, directories, servers, apps, files, credentials, breadcrumbs) in a network
alongside real assets to act as lures
28 Application AV (Symantec & Application whitelisting (also known as application allow listing) is a common method used
Whitelisting McAfee) by IT organizations to secure on-premise and cloud-based networks and infrastructure
against malicious cyber-attacks and unwanted network penetration.
Whitelisting and blacklisting are two methodologies to control access to websites, email,
software and IP addresses on networks. Whitelisting denies access to all resources and only
the “owner” can allow access. Blacklisting allows access to all with the provision that only
certain items are denied
29 Patch Radia Patch management is an administrator's control over operating system (OS), platform, or
Management application updates. It involves identifying system features that can be improved or fixed,
creating that improvement or fix, releasing the update package, and validating the
installation of those updates

Additional Cyber Security Solutions Proposed
30 Centralised Log New Solution To collect all application and transaction level logs to comply CERT-In guidelines
Management proposed
Server (CLMS)
31 Malicious IP New Solution To have dedicated solution to block malicious IPs and URLs as per advisories to reduce
Blocking proposed Firewall Load
32 Information Rights New Solution To ensure that the data shared can be accessed and seen only by authorised personnel by
Management (IRM) proposed the data owner.

Policies & Standard Operating Procedure (SOP)
1. Information Systems Security Policy
The overall objective of the “Information Systems Security Policy” is to provide guidance and direction to Indian
Bank for the protection of its information systems against accidental or deliberate damage or destruction. The
Indian Bank, herein after referred to as Bank has a responsibility to ensure that its information assets are
adequately protected from a variety of threats such as error, fraud, embezzlement, sabotage, terror, extortion,
espionage, privacy violation, service interruption, and natural disaster.
2. Cyber Security Policy
The following are the main objectives of cyber security policy:
• To enhance the resilience of the bank by improving the current defenses in addressing cyber risks and to
ensure adequate cyber security preparedness on a continuous basis.
• To provide guidance and direction to bank in combating cyber threats given the level of complexity of
business and acceptable level of risks
• To enable the Bank’s employees, vendors, contractors and other stakeholders to gain awareness and to fulfill
their responsibilities to protect the information assets with which they are entrusted.
3. Cyber Crisis Management Plan
The plan is intended to provide guidelines for handling cyber security-related crisis. It discusses the types of
cyber crisis, policies, actions and responsibilities for a coordinated, multi-disciplinary, broad based approach to
prepare for rapid identification, information exchange, response and remediation to mitigate and recover from
malicious cyber related incidents impacting critical infrastructure.
Policies & Standard Operating Procedure (SOP)
4. SOP on Cloud Computing
Cloud computing delivers IT capabilities in the form of services with elasticity, scalability where the subscribers
can make use of resources, platform or software without having to possess and manage the underlying
complexity of the technology. Bank when considering cloud computing as a model to enable IT Services shall
consider the security and related concerns in implementing cloud dealt with in this document
5. SOP on Application Programming Interface

The objective of this Standard Operating Procedure is to establish a guideline in the development, deploying and
maintenance of Application Interfaces, provide the baseline security aspects to be considered at the time of
deploying APIs within the Bank’s environment and also between the Bank’s environment and Internet
6. Digital Payment Security Control Policy

This policy covers the Digital Transactions and processes done by the Bank and its customers with regards to
Bank’s digital payment products and services, including in-line systems

Important Agencies
CERT-In (Computer Emergency Response Team - India) has been designated to serve as the national agency
to perform the following functions in the area of cyber security: Collection, analysis and dissemination of
information on cyber incidents. Forecast and alerts of cyber security incidents. Emergency measures for handling
cyber security incidents.
CERT-IN was formed in 2004 by the Government of India under Information Technology Act, 2000 Section (70B)
under the Ministry of Communications and Information Technology. In December 2013, CERT-In reported there
was a rise in cyber attacks on Government organisations like banking and finance, oil and gas and emergency
services. It issued a list of security guidelines to all critical departments. It liaisons with the Office of National
Cyber Security Coordinator, National Security Council and National Information Board in terms of the nation's
cyber security and threats. As a nodal entity, India’s Computer Emergency Response Team (CERT-in) plays a
crucial role under the Ministry of Electronics and Information Technology (MeitY).
The Computer Emergency Response Team (CERT) is a group formed in 1998 by the U.S. Defence Advanced Research
Projects Agency — and coordinated through Carnegie Mellon University's Software Engineering Institute (SEI) — to research
and report on Internet-related security problems

Important Agencies
National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government
of India created under Sec 70A of the Information Technology Act, 2000 (amended 2008), through a gazette
notification on 16th Jan 2014 Based in New Delhi, India. NCIIPC maintains a 24x7 Help Desk to facilitate
reporting of incidents. Toll Free No. 1800-11-4430. Issues advisories or alerts and provide guidance and
expertise-sharing in addressing the threats/vulnerabilities for protection of CII (Critical Information Infrastructure)
which constitutes assets (real/virtual), networks, systems, processes, information, and functions that are vital to
the nation such that their incapacity or destruction would have a devastating impact on national security, the
economic and social well-being of citizens.
What is CII
Critical Information Infrastructure (CII)
constitutes assets (real/virtual), networks,
systems, processes, information, and
functions that are vital to the nation such
that their incapacity or destruction would
have a devastating impact on national
security, the economic and social well-
being of citizens.

Thank You

D2-S1-Cybersecurity in Banking Threats, Challenges and Solutions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D2-S1-Cybersecurity in Banking Threats, Challenges and Solutions

Uploaded by

Copyright:

Available Formats

Cybersecurity in Digital Banking:

Threats, Challenges and Solution

22-09-2023 Information System Security Department 1

22-09-2023 Information System Security Department 2

22-09-2023 Information System Security Department 3

22-09-2023 Information System Security Department 4

22-09-2023 Information System Security Department 5

22-09-2023 Information System Security Department 6

22-09-2023 Information System Security Department 7

22-09-2023 Information System Security Department 8

Spoofing can take many forms, such as:

Email spoofing is a threat that involves sending email messages with a

22-09-2023 Information System Security Department 10

DMARC: Domain-based Message Authentication, Reporting &

SPF: Sender Policy Framework uses a DNS entry to specify a list of

DKIM (DomainKeys Identified Mail) is a protocol that allows an

22-09-2023 Information System Security Department 13

22-09-2023 Information System Security Department 16

22-09-2023 Information System Security Department 17

22-09-2023 Information System Security Department 18

What user can check:

22-09-2023 Information System Security Department 19

22-09-2023 Information System Security Department 20

22-09-2023 Information System Security Department 21

22-09-2023 Information System Security Department 22

Weak Identity and Access Management

What is user awareness in cyber security?

Why is cyber security awareness important?

Internal (Mainly Employee, Vendor) & External (Mainly Customer) to

Resulting a need of user awareness, and education for the user.

22-09-2023 Information System Security Department 26

22-09-2023 Information System Security Department 27

22-09-2023 Information System Security Department 28

Be careful what you click

Practice good password management

Safeguard Protected Data

Back up your data

22-09-2023 Information System Security Department 31

22-09-2023 Information System Security Department 32

22-09-2023 Information System Security Department 33

Managing Director & CEO

Executive Director 1 Executive Director 2 Executive Director 3 Executive Director 4

CGM Level CGM Level

22-09-2023 Information System Security Department 34

Executive Director AC Executive Director MKB

Security Operation Centre IT Infra security Operations

Assistant General Manager

22-09-2023 Information System Security Department 38

22-09-2023 Information System Security Department 39

22-09-2023 Information System Security Department 40

22-09-2023 Information System Security Department 41

22-09-2023 Information System Security Department 42

22-09-2023 Information System Security Department 43

22-09-2023 Information System Security Department 44

22-09-2023 Information System Security Department 45

22-09-2023 Information System Security Department 46

Spear phishing Life Cycle

22-09-2023 Information System Security Department 47

22-09-2023 Information System Security Department 48

Bank use this technology which

The technology works by

22-09-2023 Information System Security Department 49

22-09-2023 Information System Security Department 50

22-09-2023 Information System Security Department 52