Afghan United Bank

INFORMATION TECHNOLOGY AUDIT

Final Report

November 17, 2020

Page
Page- -1 0
Table of Contents
Content Page No.

Introduction and Scope of Work 2

Executive Summary 4

Way Forward 15

Detailed Observations 21

Closed Observations 61

Closeout Letter 67

Page - 1
 INTRODUCTION AND
SCOPE OF WORK

Page - 2
Introduction and Scope of Work
Introduction
Afghan United Bank is a full-fledged privately owned commercial bank incorporated on October 4, 2007. The
Bank obtained its banking license under the Banking Laws of Afghanistan from the Central Bank of
Afghanistan (DA Afghanistan Bank) and received incorporation license from Afghanistan Investment Support
Agency (AISA). The Bank is currently operating through 27 branches in Kabul, Nangarhar, Kandahar, Balkh,
Herat, Kunduz, Parwan, Helmand, Nimroz, Khost and other big cities of the country. The bank is offering
financial products and services in both Conventional and Islamic Banking across these branches

Objective
In this engagement, BDO has performed CB Application Controls, IT General Controls and CB Security Review,
Penetration testing (internal & external) to assesses and identify risks associated with CB and the
effectiveness of required controls aligned with industry frameworks.

Scope of Work
Our scope of work is divided into five major tracks:
Track 1 Audit of Information Security Architecture & Implementation of Information Security Policy

Track 2 Data Centre - CBS Operations and IT Products

Track 3 Disaster Recovery Site – BCP

Track 4 Penetration Testing (Internal & External)

Track 5 Operation Technical Workflow & Procedures

Page - 3
 EXECUTIVE SUMMARY

Page - 4
Risk Rating
Each finding receives a rating as per following table:

Page - 5
Graphical Representation of Findings
Following Table & Graph shows the representation of our Overall Assessment categorizing
into our Risk Rating.
Criticality
Sr. No Engagement Tracks Total
High Medium Low

1 IS Architecture & Implementation of ISP 2 4 1 7

2 Data Centre - CBS Operations & IT Products 3 2 3 8

3 Disaster Recovery Site – BCP 1 0 0 1

4 Penetration Testing (Internal & External) 6 4 2 12

5 Operation Technical Workflow & Procedures 3 2 1 6

Total: 15 12 7 34

Overall Engagement Summary

12 15

High Medium Low

Page - 6
Graphical Representation of Findings
Following Graph shows the Track wise graphical representation of our assessment
categorizing into our Risk Rating.
Data Centre - CBS Disaster Recovery Site –
IS Architecture &
Operations & IT Products BCP
Implementation of ISP
0
0
1
2 3
3 1
4 2

High Medium Low

High Medium Low High Medium Low

Penetration Testing Operation Technical

(Internal & External) Workflow & Procedures

2 1
2
6
4
3

High Medium Low High Medium Low

Page - 7
FINDING SUMMARY
No. Observations Risk
Information Security Architecture & Implementation of IS Policy
Some generic IDs are active in Active Directory(System admin, FSRV admin, Finance
1. Medium
admin, Schema admin, AUB KYC Section) - CLOSED

Network Intrusion Detection System logs not enabled

2. Network Intrusion Detection System signature database has not been updated High
since 2015-05-02.

AUB does not have any industry-accepted network hardening standards that is
3. High
being followed to address the security vulnerabilities of all network components.

AUB does not have documented list of all services, protocols and ports, including
4. Medium
business justification and approval for each.
AUB IT Security policy is not comprehensive & does not cover following areas.
Use of Generic IDs and default IDs over the application, database and operating
5. system level, Use of Privilege IDs over the application, database & operating system Medium
level & review logs of Privileged IDs over the application, database & operating
system level.

Page - 8
FINDING SUMMARY
No. Observations Risk
Information Security Architecture & Implementation of IS Policy
Although future IT requirements are being assessed, however there is no
formalized IT strategy to support the AUB’s medium and long-term business plan.
6. Medium
A formally developed Information Systems Strategic plan would ensure that:
Information Systems strategies are developed and aligned with business strategies;
IT related user complaints are track manually; appropriate software to keep proper
7. Medium
track/management of the user’s problems has not been implemented.
Data Centre - CBS Operations and IT Products
AUB is not using Time Synchronization Technology (NAT) to synchronize clock on
8. High
multiple system.
Customer Service Officers (CSO) and entire bank (workstations) are still using
9. Windows 7. High
Support for Windows 7 has ended on January 14, 2020
Backup restoration testing is preformed to ensure complete data recovery in case
10. of system outage. However, approval of test results of backup restoration testing – Medium
UET are not maintained/documented.

Page - 9
FINDING SUMMARY
No. Observations Risk
Data Centre - CBS Operations
Media classification(labelling of devices) was not proper in AUB and Roshan
11. Medium
datacenter. - CLOSED
System and Network Racks were opened in AUB and Roshan datacenter
12. Medium
Two card printing servers were in printing area rather then datacenter.

13. Datacenter backup UPS was not in working condition Low

14. Identity badges are not assigned to visitors while they visit to data centre. Low

CCTV cameras were not in placed at the backside of the AUB rack in Roshan
15. Low
datacenter where Card Holder Data is being stored and processed.
There is no SIEM (Security Information and Event Management) solution
16. High
implemented for centralized logging.

17. AUB datacenter biometric device is not generating logs. Low

Disaster Recovery Site – BCP

Information Technology Disaster Recovery Plan and Policy has not been updated
18. Medium
since 2018.

Page - 10
FINDING SUMMARY
No. Observations Risk

Penetration Testing (Internal & External)

19. Generic user accounts exists on afghanunitedbank.com High

20. FTP Port is open on afghanunitedbank.com - CLOSED High

21. Out of date WordPress version exists on afghanunitedbank.com Low

22. Password Transmitted over HTTP on inotes.afghanunitedbank.com Medium

23. Password field with autocomplete enabled on www.aubsmartbanking.com Low

SSH server supports SSH Protocol V1 clients (ssh-v1-supported)

10.1.3.41:22 172.17.2.2:22
24. 10.50.50.9:22 172.17.2.4:22 High
172.10.0.2:22 172.10.0.3:22
172.11.0.2:22 172.28.222.6:22

TLS/SSL server supports the use of static Key cipher (ssl-static-key-ciphers)

25. Medium
TLS/SSL Server is using commonly used prime numbers (tls-dh-primes)

Page - 11
FINDING SUMMARY
No. Observations Risk
Penetration Testing (Internal & External)

Unencrypted Telnet Service Available (telnet-open-port)

10.1.3.41:23 172.11.0.2:23
26. 172.17.2.2:23 10.50.50.9.23 High
172.28.222.6:23 172.17.2.3:23
172.10.0.2:23 172.10.0.3:23

An error in handling TKEY queries can cause named to exit with a Require assertion
failure. Existing Sun Solaris version allows remote attackers to cause a denial of
service attack.
(CVE-2016-2776) (DNS-BIND-CVE-2016-2776)
(CVE-2015-5477) (DNS-BIND-CVE-2015-5477)
27. Medium
(CVE-2015-5722) (DNS_BIND-CVE-2015-5722)
(CVE-2014-8500) (DNS_BIND-CVE-2014-8500)
(CVE-2012-5166) (DNS-BIND-CVE-2012-5166)
(CVE-2012-1667) (DNS-BIND-CVE-2012-1667)
(CVE-2011-4313) (DNS-BIND-CVE-2011-4313)

Page - 12
FINDING SUMMARY
No. Observations Risk
Penetration Testing (Internal & External)
Microsoft IIS default installation/welcome page installed (http-iis-default-install-
28. Medium
page) - CLOSED

29. IBM Notes 9.0.1 is no longer supported by IBM. Medium

Cisco core switch 65000, cisco router 3900, ASA firewall 2055 and cisco switches
30. are on end of life and AUB is not maintaining Annual Maintenance Contract (AMC) High
with vendor.
SPARC Enterprise M4000 (OBDX DB and DR DB Server) is on end of life and AUB is
31. High
not maintaining Annual Maintenance Contract (AMC) with vendor.

32. AUB is not performing Vulnerability Assessment quarterly. High

33. AUB is not performing Penetration Testing annually. High

Page - 13
FINDING SUMMARY
No. Observations Risk
Operation Technical Workflow & Procedures
EBD ATM and Master card sealed enveloped is not according to best practices
34. High
standard.
ATM card Primary Account Number (PAN) is in clear text and are displayed on CBS
35. Medium
Application and Database level.

36. Oracle Flexcube is on sustaining support High

AUB does not possess adequate technical documentation such as Data flow
37. Medium
diagrams, Entity relationship diagrams of application.

38. IT Department does not have a documented succession and cross-training plan. Low

AUB does not have a formal Internal IT audit function to review the IT activities and
39. Medium
to ensure controls exist and are effective

Page - 14
 WAY FORWARD

Page - 15
WAY FORWARD (INFORMATION TECHNOLOGY AUDIT)
No. Recommendations
It is recommended to protect audit logs against tempering and should be stored at a centralized
logging server. It is also required to retain audit logs for at least a year with three months of
1.
immediate availability. A SIEM solution is recommended to achieve logging at a secure centralized
location.

It is recommended that AUB management should conduct an independent IT third party Risk
2.
Assessment, Vulnerability Assessment and Penetration Testing of critical applications.

Time synchronization technology is used to synchronize clocks on multiple systems. NAT should be
3.
configured to get updates from industry accepted time sources.

Network diagrams describe how networks are configured, and identify the location of all network
4.
devices so it should have date, version and responsibility column to keep track changes.

It is recommended that AUB management should take Oracle Platinum support for new software,
5.
security, patches.
It is recommended to Keep all intrusion detection and prevention engines, baselines, and signatures
6. up-to-date and monitor the logs daily.

Page - 16
WAY FORWARD (INFORMATION TECHNOLOGY AUDIT)
No. Recommendations

It is recommended AUB to develop configuration standards for all system and network components.
7. Assure that these standards address all known security vulnerabilities and are consistent with
industry accepted system hardening standards.

It is recommended that PAN should be displayed masked on application, database, screen, logs and
8. reports. Ensure that full PAN is only displayed for those with a legitimate business need to see the
full PAN minimizes the risk of unauthorized persons gaining access to PAN data.

It is recommended AUB to maintain AMC with vendors and should replace devices and systems
9.
which are expired, end of life and end of support.

We recommend that management establish a more formal procedure whereby short and long term
succession and cross training plans are documented to ensure that the IT staff's skills and levels of
10.
experience are adequate to meet current and future needs of the AUB. Further, the IT department
should periodically monitor its progress in this regard.

Page - 17
WAY FORWARD (INFORMATION TECHNOLOGY AUDIT)
No. Recommendations
Information Technology Security Policy and Procedures should be formally developed, and
implemented that addresses all relevant aspects of information protection. Further, management
should set a clear policy direction in line with business objectives, and demonstrate support for and
commitment to information security through the issuance and maintenance of an IT policy for the
AUB/bank.
11.
In addition, the IT Security Policies should be reviewed keeping in view the guidelines provided by
international standards and best practices such as ISO27001 and updated (if required). All employees
having access to information assets should be required to sign off on their understanding and
willingness to comply with the IT security policy at the time they are hired and on a regular basis
thereafter (e.g., annually) to account for policy changes over time
The AUB should consider developing a formal IT strategic plan, to address requirements of the
technology infrastructure needed for meeting the needs of the business. The AUB should then
consider preparing an IT architecture based on the IT strategy. However, the success of an IT strategy
depends on the following:
IT Strategy must be driven by Business Strategy - Business Strategy must be communicated. Members
12. of the IT Group must be encouraged and supported in their stated intention of expanding their
understanding of the business;
Active participation of IT executives in the business strategy development process;
Progress in this area will have a positive impact on IT’s understanding of user needs, and their ability
to communicate these needs to the client’s management team; and
The proposed IT strategy should be cost effective.

Page - 18
WAY FORWARD (INFORMATION TECHNOLOGY AUDIT)
No. Recommendations

13. Current access to Data Centre as well as access logs should be formally reviewed on a periodic basis.

The management should design the application systems technical manuals. This will enable
14.
programmers to understand the flow of application program.

We recommend that management establish a more formal procedure whereby short and long term
succession and cross training plans are documented to ensure that the IT staff's skills and levels of
15.
experience are adequate to meet current and future needs of the AUB. Further, the IT department
should periodically monitor its progress in this regard.

Page - 19
WAY FORWARD (INFORMATION TECHNOLOGY AUDIT)
No. Recommendations

The bank should implement software for help desk function to ensure that all such events are
recorded, analysed and resolved in a timely manner. Incident reports should be established in case
of significant recurring problems. Help desk software could provide AUB with the following benefits:
16.
Formal tracking and classification of IT problems by the software to identify trends and patterns and
take proactive steps to resolve the problem.
Reports generated by the help desk software provide a history of the problems and their resolution.

An IT auditor can play a vital role in assuring that appropriate financial and operational controls are
included in current and future systems and in major modifications of existing applications. The IT
17.
auditor can also provide a valuable internal control function by periodically testing systems controls
to determine whether they are effective and have not been circumvented.

AUB should consider the implementation of automated program management tool to effectively
18.
control the change management cycle for applications.

Page - 20
 DETAILED
OBSERVATIONS

Page
Page- -1 21
 IS Architecture &
Implementation of IS
Policy

Page - 22
Detailed Observations
Risk: Many breaches occur over days or months before being detected. Without a proactive approach to unauthorized activity detection,
attacks on (or misuse of) computer resources could go unnoticed in real time. Checking logs daily minimizes the amount of time and
exposure of a potential breach.

Ref. Finding Risk Recommendation

Rating

1.1 Intrusion Detection System:
During System Walkthrough of Intrusion Detection System
(IDS), we noted that IDS logs was not enabled and IDS
signature database has not been updated since 2015-05-02.
Intrusion detection and/or intrusion prevention techniques
(such as IDS/IPS) compare the traffic coming into the network
with known “signatures” and/or behaviors of thousands of
compromise types (hacker tools, Trojans, and other malware),
and send alerts and/or stop the attempt as it happens.

Security alerts generated by these techniques should be

monitored so that the attempted intrusions can be stopped.

Further, It is recommended to keep intrusion detection and

prevention engines, baselines and signatures up-to-date.

MANAGEMENT RESPONSE

The logs for IDS has to be redirected to SIEM application. The logs can not be stored into cisco flash. Will be enabled with SIEM.
Implementation will be considered in 2021

Page - 23
Detailed Observations
Risk: There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to
configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have
established system-hardening guidelines and recommendations, which advise how to correct these weaknesses.

Ref. Finding Risk Recommendation

Rating

1.2 System Hardening Standards:
AUB does not have any industry-accepted network hardening
standards that is being followed to address the security
vulnerabilities of all network components.
It is vital that the organization follows a system configuration
standard that is industry-accepted and also addresses the
security vulnerabilities across all system components.
Examples of sources for guidance on configuration standards
include, but are not limited to: www.nist.gov, www.sans.org,
and www.cisecurity.org, www.iso.org, and product vendors.

System configuration standards must be kept up to date to

ensure that newly identified weaknesses are corrected prior
to a system being installed on the network.

MANAGEMENT RESPONSE

Network and security team will create a network and system hardening document.

Page - 24
Detailed Observations
Risk: In lack of formal and updated IT Security Policy, it would also become difficult to identify deviations from the policy and take
corrective action against users who do not follow the basic information security requirements of AUB.

Ref. Finding Risk Recommendation

Rating

1.3 IT Security Policy:
The AUB has developed a formal IT Security policy which is
also approved by the senior management. However, the
policy is not does not cover following areas.
• Use of Generic IDs and default IDs over the application,
database and operating system level,
• Use of Privilege IDs over the application, database &
operating system level &
• Review logs of Privileged IDs over the application,
database & operating system level
AUB management should update policy in line with processes
objectives, and demonstrate support for and commitment to
information security through the issuance and maintenance of
an IT policy for the AUB bank.
In addition, All employees having access to information assets
should be required to sign off on their understanding and
willingness to comply with the IT security policy at the time
they are hired and on a regular basis thereafter (e.g.,
annually) to account for policy changes over time.

MANAGEMENT RESPONSE

Will be incorporated In ITS policy.

Page - 25
Detailed Observations
Risk: In the absence of formal and approved IT strategy, there is a risk that future IT investments in technology (both in hardware and software)
may not be those that best meet company’s short and long term objectives. Further, the IT organization may not be viewed as the provider of
effective solutions to business problems impacting systems productivity and user confidence.

Ref. Finding Risk Recommendation

Rating

1.4 IT strategy: The company should consider developing a formal IT strategic

Although future IT requirements are being assessed, however
there is no formalized IT strategy to support the company’s
medium and long-term business plan. A formally developed
Information Systems Strategic plan would ensure that:
Information Systems strategies are developed and aligned with
business strategies;
Resources are deployed efficiently and effectively; and
The entity capitalizes on the business advantages of state of
art Information Technology
plan, to address requirements of the technology infrastructure
needed for meeting the needs of the business. The company
should then consider preparing an IT architecture based on
the IT strategy. However, the success of an IT strategy
depends on the following:
IT Strategy must be driven by Business Strategy - Business
Strategy must be communicated. Members of the IT Group
must be encouraged and supported in their stated intention of
expanding their understanding of the business;
Active participation of IT executives in the business strategy
development process;
Progress in this area will have a positive impact on IT’s
understanding of user needs, and their ability to communicate
these needs to the client’s management team; and
The proposed IT strategy should be cost effective.

MANAGEMENT RESPONSE

IT strategy is incorporated and is part of bank strategic plan

Page - 26
Detailed Observations
Risk: In the absence of help desk software, it will be difficult for the IT management to track/ monitor the status of user complaints.
Additionally, there is a risk that the technical support personnel may not be able to provide adequate and timely assistance to users. Further, IT
management may not be able to track trends and monitor statistics pertaining to IT related common problems encountered by users. The
completeness and integrity of data pertaining to user complaints cannot be relied upon.

Ref. Finding Risk Recommendation

Rating

1.5 Helpdesk: The bank should implement software for help desk function to
ensure that all such events are recorded, analyzed and
IT related user complaints are track manually ; appropriate resolved in a timely manner. Incident reports should be
software to keep proper track/ management of the user’s established in case of significant recurring problems.
problems has not been implemented.
• Problems are resolved more quickly because the escalation
procedures are better controlled and monitored.
• Formal tracking and classification of IT problems by the
software to identify trends and patterns and take
proactive steps to resolve the problem.
• Reports generated by the help desk software provide a
history of the problems and their resolution.

MANAGEMENT RESPONSE

AUB already have IT helpdesk system in place however for its reporting functionality will be enabled. (project in progress)

Page - 27
Detailed Observations
Risk: Compromises often happen due to unused or insecure service and ports, since these often have known vulnerabilities and many
organizations don’t patch vulnerabilities for the services, protocols, and ports they don't use (even though the vulnerabilities are still
present).

Ref. Finding Risk Recommendation

Rating

1.6 Services, Protocols & Ports:
The consultant noted that AUB does not have documented list
of all services, protocols and ports, including business
justification and approval for each.
It is recommended that AUB’s IT Department should maintain
a properly documented list of all services, protocols and
ports, including business justification and approval for each.
By clearly defining and documenting the services, protocols,
and ports that are necessary for business,
organizations can ensure that all other services,
protocols, and ports are disabled or removed.

MANAGEMENT RESPONSE

This point will be covered in network hardening document

Page - 28
Detailed Observations
Risk: Inappropriate or unnecessary access privileges to Data Center may compromise the physical security of Information System and supporting
infrastructure

Ref. Finding Risk Recommendation

Rating

1.7 Physical Security –Data Centre Logs: Logs of access to Data Centre as well as system generated
access logs should be formally reviewed on a periodic basis.
Current access to Data Centre as well as access logs are not
system generated and formally reviewed on a periodic basis.

MANAGEMENT RESPONSE

Datacenter biometric device with digital logs keeping functionally has been placed

Page - 29
 CBS Operations –DATA
Centre

Page - 30
Detailed Observations
Risk: For post-incident forensics teams, the accuracy and consistency of time across all systems and the time of each activity is critical in
determining how the systems were compromised.

Ref. Finding Risk Recommendation

Rating

2.1 Time Synchronization Technology: Time synchronization technology is used to

BDO consultants noted that AUB does not have Time
Synchronization Technology.
synchronize clocks on multiple systems. When
clocks are not properly synchronized, it can be
difficult, if not impossible, to compare log files
from different systems and establish an exact
sequence of event (crucial for forensic analysis in
the event of a breach).

MANAGEMENT RESPONSE

AUB IT Team has implemented the NAT System further all AUB servers will be synchronized with NAT.

Page - 31
Detailed Observations
Risk: The use of outdated Software may result in an attacker using the already published vulnerabilities on the website for their personal
and malicious interests.

Ref. Finding Risk Recommendation

Rating

2.2 Outdated Operating System in Branch Environment:
During the walkthrough of Card management, we noted that
Customer Service Officers (CSO) and entire bank
(workstations) are still using Windows 7.
Every major OS upgrade comes with copious amounts of new
security features, which is always one of the best reasons to
make the switch.
It is recommended AUB to switch over new Operating System.

*Support for Windows 7 has ended on January 14, 2020

MANAGEMENT RESPONSE

Due to Flexcube11.3 compatibility issue since we are running on old version of Flexcube and Flexcube 11.3 is not certified on windows10 and
IE11.

Page - 32
Detailed Observations
Risk: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of
physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or
media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised.

Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without
adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered
useless as an investigation tool after a compromise.

Ref. Finding Risk Recommendation

Rating

2.3 Implement SIEM and Secure Audit Logs:
There is no SIEM (Security Information and Event
Management) solution implemented for centralized logging.
Audit logs must be secured so that they cannot be altered.
Audit trail history must be retained for at least one year, with
a minimum of three months immediate availability for
analysis.
Security information and event management (SIEM) is a threat
detection and security incident response tool that collect
real-time security event and analyze historical logs from a
wide variety of event and contextual data sources.
It is recommended to protect audit logs against tempering
and should be stored at a centralized logging server. It is also
required to retain audit logs for at least a year with three
months of immediate availability. A SIEM solution is
recommended to achieve logging at a secure centralized
location.

MANAGEMENT RESPONSE

Implementation of SIEM Security Information and Event Management will be considered in 2021 budget

Page - 33
Detailed Observations
Risk: Without automated logs for change management, it may be difficult to trace unauthorized changes or changes that caused the errors
and/or processing disruptions. Moreover, in the absence of automated change management Migration tool, it will be difficult for
management to perform reviews/audits of previous changes in order to assess adequacy and performance..

Ref. Finding Risk Recommendation

Rating

2.4 Population Change : AUB should consider the implementation of automated

program management tool to effectively control the change
There is no formal logging mechanism to determine the management cycle for applications.
complete population of changes implemented in-scope
applications.

MANAGEMENT RESPONSE

AUB already have IT helpdesk system in place however for its reporting functionality will be enabled. ( project in progress )

Page - 34
Detailed Observations
Risk: System and Network components can be compromised with open racks gate.

Ref. Finding Risk Recommendation

Rating

2.5 Datacenter Racks:
During our visit to the data center, it was noted that some of
the racks in which AUB’s CHD inventory was placed were not
locked.
We also observed that Two card printing servers were in
printing area rather then datacenter.
It is recommended that the racks in which the CHD media is
placed, should be locked so that they can be protected from
any unauthorized and malicious access.
All sensitive servers, network components should be place in
datacenter with all physical security controls.

MANAGEMENT RESPONSE

The RACKs doors are closed and locked now.

Page - 35
Detailed Observations
Risk: In the Internet industry, the blackout affects the entire chain, while consumers in the end, they behoove blaming enterprises, while
enterprises are suffering: company website system hosted in the IDC room, they are also victims. Although the power cutoff accident is due
to equipment problems of power companies, but the ultimate responsibility for the outage will be on to the data center UPS power supply
system.

Ref. Finding Risk Recommendation

Rating

2.6 Datacenter backup UPS: We all know every data center needs optimal uninterrupted
power 24/7 so the importance of data center backup power
During the review of AUB primary Datacenter, We observed cannot be understated.
that backup UPS was not in working condition.
The UPS not only provides backup power in case of power
failure but also protects the servers from these types of
fluctuations.

MANAGEMENT RESPONSE

Order has been placed for new backup UPS for production datacenter.

Page - 36
Detailed Observations
Risk: Without badge systems, unauthorized and malicious users can easily gain access to the data centre and DR site facility to steal,
disable, disrupt, or destroy critical systems and cardholder data.

Ref. Finding Risk Recommendation

Rating

2.7 Visitor’s Identity Badges:
During our visit to data centre, DR site and other server &
sensitive operational rooms, the consultant noted that the
personnel escorting the visitors were not wearing their badges
so the consultant could not easily distinguish or guess
between onsite personnel and visitor’s identity.
Further, the consultant observed that identity badges are not
assigned to visitors while they visit to data centre.
It is recommended that management should develop and
implement visitor access policy & procedure in order to
enforce this exercise so that unauthorized access or activities
can be monitored. The onsite personnel should also be
wearing their authorized badges every time to be identified
correctly.

MANAGEMENT RESPONSE

The Identity badges procedure has been placed for datacenter and ITD visitors.

Page - 37
Detailed Observations
Risk: When investigating physical breaches, these controls can help identify the individuals that physically accessed the sensitive areas, as
well as when they entered and exited. Criminals attempting to gain physical access to sensitive areas will often attempt to disable or bypass
the monitoring controls. To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be
monitored to detect tampering.

Ref. Finding Risk Recommendation

Rating

2.8 Video Cameras or Access Control Mechanism:
During our visit to Roshan Data Centre, the consultant
observed that video cameras do not provide proper coverage
of server racks where cardholder data is being stored and
processed.
It is recommended that video camera with strategic position
must be placed in every “sensitive place” in order to monitor
the unauthorized access to cardholder data environment and
data is stored at least (90) days to comply best practices.

MANAGEMENT RESPONSE

Online CCTV cameras has been deployed in AUB DR Site.

Page - 38
Disaster Recovery Site –
BCP

Page - 39
Detailed Observations
Risk: Security threats and protection methods evolve rapidly. Without updating the disaster recovery policy plan to reflect relevant
changes, new protection measures to fight against these threats are not addressed.

Ref. Finding Risk Recommendation

Rating

3.1 Disaster Recovery Policy Plan: It is recommended to review Disaster Recovery Policy Plan at
least annually and update it when the environment changes.
During our review of Policies and Procedures, We noted that
Information Technology Disaster Recovery Plan and Policy has
not been updated since 2018. DR policy contains old
employee information.

MANAGEMENT RESPONSE

Since their was no major changes in policy and plan, however as suggested each year the policy and plan will be updated accordingly.

Page - 40
 Penetration Testing
(Internal & External)

Page - 41
Detailed Observations
Risk: The use of Generic IDs may lead to attackers trying different techniques to bypass the access control mechanisms such as brute force,
dictionary attacks etc. The use of such accounts also involves threats such as any intentional and or unintentional amendments made in the
data / information residing in the subject information systems by administrators, users or network perpetrators may not be detected in a
timely manner to prevent compromise of confidentiality, integrity and availability of critical business data. Moreover, if detected, it would
not be possible to hold a single person accountable for the actions performed via generic IDs.

Ref. Finding Risk Recommendation

Rating

4.1 Generic user accounts exist:
During the testing of the “https://afghanunitedbank.com/”
website it was observed that the generic user exists for the
administration of WordPress. The website is directly
accessible from the internet.
All sensitive data should be transferred over HTTPS rather
than HTTP. Forms should be served over HTTPS. All aspects of
the application that accept user input,
starting from the login process, should only be served over
HTTPS.

MANAGEMENT RESPONSE

The details has been shared with development team to disable the generic user accounts if any.

Page - 42
Detailed Observations
Risk: The use of outdated hardware may result in an attacker using the already published vulnerabilities on the website for their personal
and malicious interests.

Ref. Finding Risk Recommendation

Rating

4.2 Obsolete Network Devices and servers: It is recommended AUB to maintain AMC with vendors and
should replace devices and systems which are expired, end of
SPARC Enterprise M4000 (OBDX DB and DR DB Server) , cisco life and end of support.
core switch 65000, cisco router 3900, ASA firewall 2055 and
cisco switches are on end of life and AUB is not maintaining
Annual Maintenance Contract (AMC) with vendor.

MANAGEMENT RESPONSE

Cisco smart Net AMC contract will be considered in 2021 budget.

Page - 43
Detailed Observations
Risk: Bank may not be aware of actual threat that would exist in the environment or may potentially exploit the unreported network and
system vulnerabilities of the bank’s environment that would result in damaging the overall business moving forward creating reputational or
financial risk holistically.

Ref. Finding Risk Recommendation

Rating

4.3 Quarterly Vulnerability Scanning:
We noted that AUB does not perform quarterly internal and
external vulnerability scans, Furthermore, it was noted that
the scans are also not being performed after the significant
changes in the environment.
It is recommended that management should conduct both
internal and external network vulnerability scans exercise on
a quarterly basis and upon any major change in the
environment, the identified risks and vulnerabilities should be
resolved on timely basis. The scans should be done by the
qualified personnel. Rescanning should be done until passing
scans are achieved. This should also be made a part of the
Information Security Policy.

MANAGEMENT RESPONSE

AUB IT security manager has been assigned to perform Vulnerability Assessment quarterly.

Page - 44
Detailed Observations
Risk: Bank may not be aware of actual threat that would exist in the environment or may potentially exploit the unreported network and
system vulnerabilities of the bank’s environment that would result in damaging the overall business moving forward creating reputational or
financial risk holistically.

Ref. Finding Risk Recommendation

Rating

4.4 Penetration Testing: It is recommended that management should conduct both

We noted that AUB is not performing penetration testing
exercise annually.
However, we understand that AUB does not have a
documented penetration testing policy that covers
penetration testing methodologies in comprehensive manner.
internal and external Penetration Testing exercise on annual
basis and upon any major change in the environment, the
identified risks and vulnerabilities should be resolved on
timely basis. The scans should be done by the qualified
personnel. Rescanning should be done until passing scans are
achieved. This should also be made a part of the Information
Security Policy.

MANAGEMENT RESPONSE

AUB IT security manager has been assigned to perform Vulnerability Assessment quarterly.

Page - 45
Detailed Observations
Risk: The SSH-1 protocol allows remote servers to conduct man-in-the-middle attacks and replay a client challenge response to a target
server by creating a Session ID that matches the Session ID of the target, but which uses a public key pair that is weaker than the target's
public key, which allows the attacker to compute the corresponding private key and use the target's Session ID with the compromised key
pair to masquerade as the target.

Ref. Finding Risk Recommendation

Rating

4.5 SSH server supports SSH Protocol V1 clients (ssh-v1-
supported):
The SSH server support SSH version 1 clients. Version 1 of the
SSH protocol contains fundamental weaknesses which make
sessions vulnerable to man-in-the-middle attacks.
Configure the SSH server to support protocol version 2 only.
For OpenSSH-based servers, change the "Protocol" line in the
sshd_config file to read:
Protocol 2
For systems not based on OpenSSH, you may need to upgrade
the operating system version to enable SSHv2 support.

10.1.3.41:22 172.17.2.2:22
10.50.50.9:22 172.17.2.4:22
172.10.0.2:22 172.10.0.3:22
172.11.0.2:22 172.28.222.6:22

Reference:
https://www.kb.cert.org/vuls/id/684820

https://exchange.xforce.ibmcloud.com/vulnerabilities/6603

MANAGEMENT RESPONSE

As per approved CRF# AUB/NET/00173 the telnet ports are disabled and only SSH-V2 ports are enabled

Page - 46
Detailed Observations
Risk: Telnet is an unencrypted protocol, as such it sends sensitive data (usernames & passwords) in clear text.

Ref. Finding Risk Recommendation

Rating

4.6 Unencrypted Telnet Service Available (telnet-open-port) Disable the telnet service. Replace it with technologies such
as SSH, VPN, or TLS.
During internal penetration testing, we noted that
Unencrypted telnet port is open.

10.1.3.41:23 172.11.0.2:23
172.17.2.2:23 10.50.50.9.23
172.28.222.6:23 172.17.2.3:23
172.10.0.2:23 172.10.0.3:23

Reference:

https://beyondsecurity.com/scan-pentest-network-
vulnerabilities-unencrypted-telnet-server.html?cn-reloaded=1

MANAGEMENT RESPONSE

As per approved CRF# AUB/NET/00173 the telnet ports are disabled and only SSH ports are enabled.

Page - 47
Detailed Observations
Risk: If an attacker can intercept network traffic, he/she can steal users' credentials. Incase the user is accessing the website from any
public network an attacker can intercept the traffic and steal sensitive information.

Ref. Finding Risk Recommendation

Rating

4.7 Password Transmitted over HTTP:
During the testing of the “http://inotes.afghanunitedbank
.com/” website it was observed that the provided link uses
http to transmit information to the server.
All sensitive data should be transferred over HTTPS rather
than HTTP. Forms should be served over HTTPS. All aspects
of the application that accept user input, starting from the
login process, should only be served over HTTPS.

MANAGEMENT RESPONSE

(Ssl-self-signed-certificate) was enabled only on one server 10.1.3.23 and has been stopped as per approved CRF.

Page - 48
Detailed Observations
Risk: Attackers might decrypt SSL traffic between your server and your visitors.

Ref. Finding Risk Recommendation

Rating

4.8 TLS/SSL server supports the use of static Key cipher and Configure the server to disable support for static key cipher
prime numbers (ssl-static-key-ciphers) suites.

The server is configured to support ciphers known as static TLS 1.1 ciphers:
key ciphers. These ciphers don't support "Forward Secrecy". In TLS_RSA_WITH_AES_128_CBC_SHA
the new specification for HTTP/2, these ciphers have been TLS_RSA_WITH_AES_256_CBC_SHA
blacklisted. TLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
IP: 10.1.3.5:443 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
Reference: TLS_RSA_WITH_AES_256_CBC_SHA
https://www.rapid7.com/db/vulnerabilities/ssl-static-key- TLS_RSA_WITH_AES_256_CBC_SHA256
ciphers TLS_RSA_WITH_AES_256_GCM_SHA384

https://cheatsheetseries.owasp.org/cheatsheets/Transport_L
ayer_Protection_Cheat_Sheet.html#Rule_-
_Only_Support_Strong_Cryptographic_Ciphers

MANAGEMENT RESPONSE

As per approved CRF# AUB/SYS/00180 the week key chippers are disabled in OBDX aub smartbanking servers

Page - 49
Detailed Observations
Risk: The use of outdated software may result in an attacker using the already published vulnerabilities on the website for their personal
and malicious interests.

Ref. Finding Risk Recommendation

Rating

4.9 IBM Notes 9.0.1: It is recommended to upgrade IBM notes to the latest stable
version.
We noted that IBM Notes 9.0.1 is no longer supported by IBM.

MANAGEMENT RESPONSE

(since IBM Lotus note AMC contract is expired hence will be considered in 2021 budget).

Page - 50
Detailed Observations
Risk: The use of outdated hardware may result in an attacker using the already published vulnerabilities on the website for their personal
and malicious interests.

Ref. Finding Risk Recommendation

Rating

4.10 Obsolete Sun Solaris Version: More information about upgrading your version of ISC BIND is
available on the ISC website.
An error in handling TKEY queries can cause named to exit
with a Require assertion failure. Existing Sun Solaris version
allows remote attackers to cause a denial of service attack.

(CVE-2016-2776) (DNS-BIND-CVE-2016-2776)
(CVE-2015-5477) (DNS-BIND-CVE-2015-5477)
(CVE-2015-5722) (DNS_BIND-CVE-2015-5722)
(CVE-2014-8500) (DNS_BIND-CVE-2014-8500)
(CVE-2012-5166) (DNS-BIND-CVE-2012-5166)
(CVE-2012-1667) (DNS-BIND-CVE-2012-1667)
(CVE-2011-4313) (DNS-BIND-CVE-2011-4313)

IP: 172.16.255.22
IP: 172.16.255.21

MANAGEMENT RESPONSE

The point has been shared with Oracle support team however as per support team the issue is resolved in Solaris 11.3 and 11.4 version
however AUB is still running on Solaris 11.2 due to Oracle database and flexcube current versions are not supported on Solaris 11.3.

Page - 51
Detailed Observations
Risk: If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser
could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or
airport terminals.

Ref. Finding Risk Recommendation

Rating

4.11 Autocomplete Enabled: 1. Add the attribute autocomplete="off" to the form tag or to
individual "input" fields.
During the testing procedures of the following links it was 2. Find all instances of inputs that store private data and
observed that the autocomplete was enabled for sensitive disable autocomplete. Fields which contain data such as
fields: username, passwords, "Credit Card" or "CCV" type data should
http://www.afghanunitedbank.com/wp-login.php not be cached. You can allow the application to cache
usernames and remember passwords; however, in most cases
this is not recommended.
3. Re-scan the application after addressing the identified
issues to ensure all of the fixes have been applied properly.

MANAGEMENT RESPONSE

Password filed with autocomplete enable is on for mobile banking app since mobile banking app is using the same UI for Face id and biometric
authentication purpose

Page - 52
Detailed Observations
Risk: The use of outdated software may result in an attacker using the already published vulnerabilities on the website for their personal
and malicious interests.

Ref. Finding Risk Recommendation

Rating

4.12 Out of date WordPress version: Please upgrade your installation of WordPress to the latest
stable version.
During the testing procedures on http://www.afghanunited
bank.com/wp-login.php it was identified that the target web
site is using WordPress and detected that it is out of date.
WordPress is a free and open-source content management
system (CMS) based on PHP and MySQL.

MANAGEMENT RESPONSE

The details has been shared with development team to meditate the issue.

Page - 53
 Operation Technical
Workflow & Procedures

Page - 54
Detailed Observations
Risk: Card Holder Data (PAN, Cardholder name, Expiration Date, Service Code) and Sensitive Authentication Data (Full track data, CAV2,
CVC2, CVV2) can be use in fraudulent activities.

Ref. Finding Risk Recommendation

Rating

5.1 Card Envelope: It is recommended that card should be wrapped with some
paper or tape to make it invisible in envelope.
During our walkthrough with EBD department, we noted that
card sealed envelope is not according to best practices.

MANAGEMENT RESPONSE

The EBD department has been informed to envelope the ATM and master cards as per best practices and BDO recommendation and suggestions

Page - 55
Detailed Observations
No new software updates. You can access only the pre-existing ones.
No new security alerts and updates. You can access only the pre-existing ones.
No new critical patch updates. You can access only the pre-existing ones.
No new upgrade tools and scripts. You can access only the pre-existing ones.
No more tax, legal, and regulatory updates. You can access only the pre-existing ones. Unless you have an internal team tracking and
resolving these types of updates, your operations may be taking on increased legal risk of non-compliance with national, regional, or local
requirements.
No access to Platinum Services. You may have used this enhanced support and performance option while under Premier Support. Now, it’s
no longer available.
No new certification with most existing Oracle products/versions. You only have the pre-existing ones.
Oracle will not fix issues with your custom code. This is true for Premier Support and Extended Support as well.
Self-service through My Oracle Support portal is challenging. Although you retain access to My Oracle Support, locating the specific
information you need can be difficult and time-consuming.
The quality of your Oracle Support may suffer.

Ref. Finding Risk Recommendation

Rating

5.2 Oracle Flex cube : It is recommended that AUB management should take Oracle
Platinum support for new software, security, patches.
During our review of Database, We observed that Obsolete
version of the Oracle Database server is running and right now
AUB is on sustaining support.

MANAGEMENT RESPONSE

The issue has already been Intensified to AUB BOM and BOS further based on BDO observation AUB ITD will reinitiate the subject issue with
BOM AND BOS

Page - 56
Detailed Observations
Risk: Due to increasing importance and complexity of IT in company’s operations, it is important to expand the involvement of internal audit in
the IT function. This would increase the effectiveness of the internal IT audit function in areas where computerized systems are used and relied
upon.

Ref. Finding Risk Recommendation

Rating

5.3 Internal IT Audit:

During our audit, we noted that AUB does not have
a formal Internal IT audit function and specialized
IT resources to review the IT activities in order to
assess / analyze IT risks and to evaluate
effectiveness of information security controls over
network as well as in applications and databases.
It is recommended that AUB IT Audit department should conduct
independent IT Audit frequently to identify loopholes and
vulnerabilities in systems and network and subsequently finds
adequate solutions to address the risk of technical failure or hacking.
Specialized IT auditor can also provide a valuable internal control
function by periodically testing systems controls to determine whether
they are effective and have not been circumvented.

MANAGEMENT RESPONSE

AUB IT security manager has been assigned to perform IT audit function and review the IT activities to ensure security measures are in place

Page - 57
Detailed Observations
Risk: The continuity and consistency of the application systems may be compromised due to the lack of complete and current documentation.

Ref. Finding Risk Recommendation

Rating

5.4 DFD & ERD : The management should design the application systems
technical manuals. This will enable programmers to
AUB does not possess adequate technical documentation such understand the flow of application program.
as Data flow diagrams (DFD), Entity relationship diagrams
(ERD) of in-scope applications.

MANAGEMENT RESPONSE

DB Team will create the Entity relationship diagrams of Flexcube DB.

Page - 58
Detailed Observations
Risk: The display of full PAN on items such as computer screens, payment card receipts, faxes, or paper reports can result in this data being
obtained by unauthorized individuals and used fraudulently.

Ref. Finding Risk Recommendation

Rating

5.5 Mask PAN: It is recommended that PAN should be masked in the tables
and when displayed on screen, logs and reports. Best
During our walkthrough with EBD and CBS department, we practices only allows the first six and last four digits of PAN to
noted that Primary Account number (PAN) in clear text in the be displayed unmasked.
tables and it is also displayed on screen, logs and reports
without masking. The masking approach should always ensure that
only the minimum number of digits is displayed as
necessary to perform a specific business function.
For example, if only the last four digits are needed
to perform a business function, mask the PAN so
that individuals performing that function can view
only the last four digits

MANAGEMENT RESPONSE

A high priority case has been reside with oracle support team in order to mask the ATM cards PAN.

Page - 59
Detailed Observations
Risk: Without a documented succession and cross-training plan it is difficult to monitor and ensure that skills and experience of staff are
adequate to support the Corporation's IT needs.

Ref. Finding Risk Recommendation

Rating

5.6 Cross Training -Plan: We recommend that management establish a more formal procedure
whereby short and long term succession and cross training plans are
IT Department does not have a documented documented to ensure that the IT staff's skills and levels of experience
succession and cross-training plan. are adequate to meet current and future needs of the company.
Further, the IT department should periodically monitor its progress in
this regard.

MANAGEMENT RESPONSE

CBS and IT team has provided based on requitement however cross- training plane will be prepared and will be discussed with HR manager.

Page - 60
 Closed Observations

Page - 61
CLOSED - ITEMS
Risk: Generic and shared user IDs on the system lacks user accountability. In case of any unauthorized activities, management may not be
able to identify the perpetrator. This in turn prevents an entity from assigning accountability for, or having effective logging of, an
individual’s actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication
credentials.

Ref. Finding Risk Recommendation

Rating

6.1 Generic IDs: It is recommended that generic IDs and shared IDs either
should be removed or disabled and access to system,
Some generic IDs are active in Active Directory. (System applications and devices should only be allowed through
admin, FSRV admin, Finance admin, Schema admin, AUB Kyc proper IDs mapped to individuals.
Section).

We also noted that Symantec Antivirus user was generic and a

shared user.

MANAGEMENT RESPONSE

As per approved CRF the users IDs are disabled.

BDO RESPONSE:

According to the Change Request no “IT-Infra-0049”, generic IDs are disabled now.

Page - 62
CLOSED - ITEMS
Risk: Media not identified as confidential may not be adequately protected or may be lost or stolen.

Ref. Finding Risk Recommendation

Rating

6.2 Labelling of Devices: It is important that media be identified such that its
classification status can be easily discernible.
Media classification(labelling of devices) was not proper in
AUB and Roshan datacenter.

MANAGEMENT RESPONSE

AUB IT Team has started relabeling of the components

BDO RESPONSE:

BDO consultants verified that Data Centers devices (Systems, Networks) are now discernible.

Page - 63
CLOSED - ITEMS
Risk: If an attacker can intercept network traffic, he/she can steal users' credentials for the FTP service. Incase the user is accessing the
website from any public network the chances increase that an attacker can intercept the traffic and steal sensitive information.

Ref. Finding Risk Recommendation

Rating

6.3 Use of insecure FTP protocol: All sensitive data must be transferred over a secure protocol
such as SFTP.
During the testing of the “http://inotes.afghanunitedbank
.com/” website it was observed that the provided link uses
http to transmit information to the server.

MANAGEMENT RESPONSE

As per approved CRF the FTP port has been disabled and enabled SFTP.

BDO RESPONSE:

BDO consultants reviewed IT-Infra-0051 and noted that AUB is now using SFTP (22) Port.

Page - 64
CLOSED - ITEMS
Risk: In the absence of formal data restoration testing, Bank’s management cannot obtain assurance on the integrity and availability of
backed up data.

Ref. Finding Risk Recommendation

Rating

6.4 Data Restoration _UET: Explicit authorization should be sought from HOD for changes
into the system. Furthermore, authorization in the form of
By looking at email address of HOD in ‘CC:’ field of the email CRF should be sought before the start of process.
doesn’t ensure that approval has been sought. Special
characters can be used in the email address intentionally or
unintentionally due to which the email will never reach to the
recipient, leading to:

•An unauthorized or unapproved change can be promoted to

the production environment.
•Key financial data/programs can be intentionally or
unintentionally modified.

If request is not authorized after development, the

development efforts will be wasted.

MANAGEMENT RESPONSE

since it is UAT and testing environment only email approval are required however As per BDO recommendation CRF# has been placed for UAT
restoration activity)

BDO RESPONSE:

BDO consultants reviewed Change Request No “IT-UAT-DB-001”, and observed that the observation has been rectified.

Page - 65
CLOSED - ITEMS
Risk: In many cases, IIS is installed by default and the user may not be aware that the web server is running. These servers are rarely
patched and rarely monitored, providing hackers with a convenient target that is not likely to trip any alarms.

Ref. Finding Risk Recommendation

Rating

6.5 Microsoft IIS default installation/welcome page installed If this server is required to provide necessary functionality,
(http-iis-default-install-page) then the default page should be replaced with relevant
content.
The IIS default installation or "Welcome" page is installed on
the server. This usually indicates a newly installed server
which has not yet been configured properly and which may
not be known about.

IP: 172.16.255.44:80

Reference:
https://www.rapid7.com/db/vulnerabilities/http-iis-default-
install-page

MANAGEMENT RESPONSE

The http-iis-default-install-page was enabled only on one server 10.1.3.23 and has been stopped as per approved CRF.

BDO RESPONSE:

According to the Change Request no “IT-Infra-0050”, Microsoft default installation page has been stopped now.

Page - 66
CLOSEOUT - LETTER

Page - 67