Fundamentals of Information Security

to Protect Banks from Cyber Attacks

Md. Shihab Uddin Khan

Associate Professor and
Director (Training and Certification Program)

[BS (Hons) in Applied Physics, Electronics and Communication

MS in Computer Science, Dhaka University]

Cell: 01710991890, Mail: msukhan@bibm.org.bd

 What is Cyber Crime?

 Crime can be defined as the breakage of rules and regulations imposed

by any government in a country for which the existing government can
punish the criminals.
 If the crime (unlawful activities/ criminal intent) performed in cyber
space is called Cybercrime.
 In cyber crimes, Computer is a Tool, Media and Target.
 Use of Computer, Network and Internet by cyber criminals to do
something that would be a crime in any case.
 Cyber crime is an ‘umbrella’ term for lots of different types of crimes
which either take place online or where technology is a means and/or
target for the attack
Why learn about Cyber Crime ?

 Everybody is using Computing Devices; From white collar criminals to

terrorist organizations And from Teenagers to Adults.
 Conventional crimes like Forgery, extortion, kidnapping etc. are being
committed with the help of computers.
 New generation is growing up with computers and internet access.
 MOST IMPORTANT - Monetary transactions are moving on to the
INTERNET.
 Rapid growth of online transaction: e-commerce, e-banking, e-
government and e-citizen.
 Cyber Crime/Attack is one of the biggest global threat – Climate Change
and Nuclear Weapons / War
Vulnerabilities of Cyber Crime?

Because Of :-
 Anonymity
 No Geographical Boundary
 Computer’s Huge Storage Capacity
 Weakness in Operating System
 Lack of Cyber Security Awareness of End-Users
 Perception Gap of Management in respect of Cyber
Risk in Business

5
Some Common Motives behind the Cyber Crime

1) Greed
2) Power
3) Publicity
4) Revenge / Vengeance
5) Adventure
6) Desire to access forbidden/Corporate information
7) Destructive mindset / Sabotage
8) Business Competitiveness & Company Reputation
9) Wants to sell new security services/solutions
(Blackmailing by Vendors)
10) Governmental/Political Conflict (Global Conflict/War)

6
 Profile of Cyber Criminals
(For both Internal and External Cyber Threats /
Threat Creators)

1) Disgruntled/Dissatisfied employees 8) Business Rival/Competitor

2) Rogue/Dishonest/Corrupted 9) Political Hacktivist
employees 10)Teenagers
3) Novice or Unaware or Ignorant 11)Ex-Boy/Girl Friend
employees 12)Divorced Husband/Wife
4) Contractual/Daily-basis/Temporary/ 13)Relatives
Part-Time Employees 14)Others
5) Former Employees
6) Employees of Third-party Vendors
7) Professional Hackers / Crackers

7
 Types of Hackers

1) White Hat Hackers

2) Black Hat Hackers
3) Gray Hat Hackers
4) Script Kiddies
5) Green Hat Hackers
6) Blue Hat Hackers
7) Red Hat Hackers
8) State/Nation Sponsored Hackers
9) Hacktivist
10) Malicious insider or Whistleblower

Source: https://www.jigsawacademy.com/blogs/cyber-security/different-types-of-
hackers/
8
How North Korean hackers became the world’s greatest
bank robbers and they are preparing for cyber warfare

Cyber Army of North Korea

 The Motives Behind Cyber Crime
9622 cases of Cyber Crime in India in 2014. What were the
motives?

11
https://gramener.com/playground/blog/
 5752 Cyber Criminals Arrested in India

12
https://gramener.com/playground/blog/
 There are different types of security attacks which affect the
communication process in the network and they are as
follows:

attack on availability
Information Information
Source Destination (b) Interruption

(a) Normal flow

(c) Interception

attack on confidentiality
(d) Modification

attack on integrity
(e) Fabrication

attack on authenticity 13
 List of Cyber Crime
(This is not exhaustive list of cyber crime)

 Hacking/Cracking: SQL Injections, Theft  Pornography

of FTP Passwords, Cross-site scripting
 Data diddling
 DoS / DDoS Attack
 Social Engineering
 Malware/Spyware/Ransomware
 Soft. Piracy
 Logic Bombs
 Intellectual Property Theft
 E-mail Spamming/Bombing
 IRC Crime
 Identity Theft / Credit Card Fraud
 Phishing/Vishing/Smishing
 Spoofing (E-mail/Web)
 Cyber Stalking/Defamation
 Session Hijacking / Web Jacking/Man-
 Net Extortion
in-the-Middle (MITM) Attacks
 Salami Attack
 Others
 Four Major Categories of Cyber Crime

 Against persons/individuals (Spamming, e-mail spoofing, Child

Pornography, Cyber stalking/defamation etc.)
 Against Property (Credit card fraud, intellectual property crimes -
Soft Piracy, theft of computer source code , and Internet time theft )
 Against (Business and Non-business) organizations
(Capture secret data/valuable business information by
hacking/cracking, unauthorized access to computer, DDoS, virus
attack, e-mail bombing, salami attack, logic bomb, Trojan horse and
data diddling etc.)
 Crime targeting the government (Cracking any govt./military
websites etc.)
The 6 Types Of Cyber Attacks To Protect Against In
2019
How are the Cyber criminal groups organized to
commit Cyber Crime (A case of ATM/Card Fraud)?

18
 DBBL ATMs hacked by Ukrainian nationals: A total
of Tk 3 Lakh went missing (Fraud Case)

 DBBL ATMs hacked by Ukrainian nationals: A total of Tk 3 Lakh

went missing from an ATM of DBBL booth in Dhaka's Badda on
Saturday morning (June 01, 2019) but neither any transaction was
recorded in the bank server nor any money was deducted from any
client’s account. One of the foreign nationals was detained on
Saturday night when he was trying to steal money from a DBBL
ATM booth of Taltola, Khilgaon area. Police later detained five
more foreigners for their involvement in the new kind of ATM
fraud. According to police, all the six detainees are citizens of
Ukraine. They landed together in Dhaka on Thursday (May 30,
2019). Fraudsters used ATM cash-out malware.
Fraudsters steal Tk 9.60 lakh from Pubali Bank ATMs

(Fraud Case)
Three ATM booths of Pubali Bank Limited in Chattogram and
Cumilla were tempered by fraudsters and Tk 9.60 lakh have
been stolen in two days of November 17 and 18, 2019.

A man entered an ATM booth of Pubali Bank in Cumilla. He

opened the automated teller machine using a key. Then, he brought
out a small part from the machine and closed it. He took out a
small mobile device from his pocket and did something with that.
Within a few moments, notes came out from the ATM in several
phases. This is how the fraudster looted a total of Tk 3.30 lakh
from the booth on November 18. Same type of ATM scam
happened one day before in Chattogram. On November 17, another
member of the gang entered two booths of the same bank in
Chattogram. He then stole Tk 3.10 lakh from a booth on the Sheikh
Mujib Road and Tk 3.20 lakh from another booth on Chattogram
College Road in the same way.

(Source: The Daily Newspaper of BD, published on November 19 and 20, 2019)
 (Fraud Case)

 NCCBL Data Center Servers were severely

attacked by Ransomware in 2019. Banking
operation was disrupted. It took 2-days to
recover from this disruption.
 The biggest data breaches of all time

* USA TODAY's list of the largest reported breaches, in order of magnitude.

Click a company's name to read more about each breach.
Massive Ransomware cyber-attack hits nearly 100
countries around the world, May 2016

 More than 45,000 attacks recorded in countries including the UK, Russia, India
and China may have originated with theft of ‘cyber weapons’ from the NSA
 A ransomware cyber-attack that may have originated from the theft of “cyber
weapons” linked to the US government has hobbled hospitals in England and
spread to countries across the world.
 Security researchers with Kaspersky Lab have recorded more than 45,000
attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy,
and Egypt. In Spain, major companies including telecommunications firm
Telefónica were infected.
 By Friday evening, the ransomware had spread to the United States and South
America, though Europe and Russia remained the hardest hit, according to
security researchers Malware Hunter Team. The Russian interior ministry says
about 1,000 computers have been affected.
List of Top 20 Countries with the highest rate of
Cybercrime
(source: BusinessWeek/Symantec, June 2016)
 Frauds in BD Banks (2013)

Banking Ap-
plication
Mobile Banking Software
25% 3% SWIFT and
Others
2%

ACPS and EFT

15%

ATM and Plas-

Internet Bank- tic Card
ing 43%
12%
 Top 5 Industries At 5 Key Industries Most Top Target Industries For
Risk Of Cyber- Vulnerable to Cyber Cyber Attack in 2021
Attacks, May 2016 Attacks in 2020

1) Business
1) Healthcare 1) Healthcare 2) Healthcare/Medical
2) Manufacturing 2) Technology and Telecoms 3) Banking/Credit/Financial
3) Financial Services 3) Finance Services Industry 4) Government/Military
4) Government 4) Energy Industry 5) Education
5) Transportation 5) Construction Industry 6) Energy/Utilities
https://www.forbes.com/sites/stevemor https://www.securit.biz/en/blog/key- https://www.redteamsecure.com
gan/2016 industries-most-vulnerable-to-cyber-attacks
(IBM Research Report)
Threat List: $1.1M is Lost to Cybercrime Every
Minute of Every Day

 Every minute, there are 5,518 records

leaked from publicly disclosed incidents.

 Every 60 seconds, $1.1 million is lost to

cyberattacks.

 Globally, when a large business is affected, the

average cost is $11.7 million a year and $222 a
minute. This, despite the fact that businesses
are spending $171,000 every minute on
defense.
 The research also found that In every minute
1,861 people fall victim to scams and 1.5
organizations fall victim to ransomware attacks

Source: https://threatpost.com/threatlist-1-1m-is-lost-to-
cybercrime-every-minute-of-every-day/136871/
Cybercrime Damage and Cybersecurity Spending

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
Cybercrime Damage and Cybersecurity Spending

 In 2004, the global cybersecurity market was worth $3.5 billion — and
in 2017 it was worth more than $120 billion.
 The cybersecurity market grew by roughly 35X during that 13-year
period — prior to the latest market sizing by Cybersecurity Ventures.
 Global spending on cybersecurity products and services for defending
against cybercrime is projected to exceed $1 trillion cumulatively over
the five-year period from 2017 to 2021 (Cybersecurity Ventures
predicts).
 “Most cybersecurity budgets at U.S. organizations are increasing
linearly or flat, but the cyberattacks are growing exponentially,” says
CSC’s Montgomery.
 This simple observation should be a wake-up call for C-suite
executives.

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
 Big banks invest huge sums
in cyber security

 The U.S. federal government, big banks, and big businesses are spending
big bucks in a war against hackers and cyber criminals.
 HSBC Budgets $1 Billion for Cyber Security Improvements.
 JP Morgan Chase Doubles Cybersecurity Spending. In 2014, the
company spent $250 million on cybersecurity; it plans to spend no less
than $500 million by the close of 2015.
 Bank of America Corp. CEO Brian Moynihan said the nation’s second
largest lender would spend $400 million on cybersecurity in 2015. The
cybersecurity team/unit has blank check and can spend as much as needed
to protect the firm and its customers from cyber attack.

33
 Top Cyber Threats and Top Five Tools

The Top Cyber Threats -

 Ransomware
 Cryptojacking
 Internet of Things (IoT) device threats (IoT botnet
DDoS attacks)
 Data breaches
 Mobile malware
 Phishing attacks
 Software update supply chain attacks
 Advanced Persistent Threat (APT)
 Cyber Security 2019:
Top Five Threats, Top Five Tools
Top Five Tools
The cybersecurity industry is actively trying to combat cyberthreats, which leads to the
development of many emerging cybersecurity technologies.

1)Deep Learning: DL, a subset of AI, is widely used for a variety of fields including
cybersecurity. Many security tools, such as Security, Orchestration, Automation, and
Response (SOAR) make use of DL to enhance their capabilities. Deep learning can help
cybersecurity teams identify and deal with many advanced threats such as APT attacks.
2)Advanced Authentication: With all the advances in cybercrime techniques and
technologies, the most common way to execute cyber attacks is by leveraging insecure
usernames and passwords. Nowadays, many companies are finding more secure ways
for users to log-in without requiring to type in passwords. For example, Google started
to use fingerprint authentication for their accounts. Intel has also found another way,
using hardware authentication, to test several hardware factors, which they bake directly
into computer hardware to validate user identities.
 Cyber Security 2019:
Top Five Threats, Top Five Tools

Top Five Tools

3)Data Loss Prevention: DLP is a class of tools designed to protect

organizations against the loss of valuable and sensitive data. To do so,
DLP tools detect, monitor and block potential threats.
4)User Behavior Analytics (UBA): The goal of UBA is to differentiate
between legitimate users behaviors and illegitimate user behaviors. Once
UBA detects an anomaly, it alerts the security teams to take action against
the threat.
5)Cloud Tech: The cloud is one of the most rapidly growing technologies
today. For many small companies and startups, the security that the cloud
offers is much superior to what they could establish in-house, which
makes the cloud a great solution.
 Cyber Security 2019:
Top Five Threats, Top Five Tools

To minimize the risk:

 Set a BYOD Policy. Bring-your-own-device (BYOD) policies
establish rules and procedures for bringing personal devices into
work. Such a policy can help limit the risks imposed by allowing
personal computers, phones, and other devices onto the company
network.
 Set Privilege Polices. Limit employee access only to resources
necessary to perform their jobs (Implement PLP policy)
 Raise Awareness and Provide Training. Training your employees
to recognize common cybersecurity risks can go a long way toward
securing your business. An employee who knows how to spot a
phishing attempt is far less likely to click a malicious link or open a
suspicious file.
 Objective of ICT Security is to protect IT Assets of
Banks

• Data/Information (Database) - Customer’s Accounts Information,

Employee Info, etc
• Resources (Hardware, Network & Software)
 Hardware/Network Resources - Host Server, App Servers, Core Router &
Switch, Online UPS etc.
 Software Resources – OS, Banking Software, DBMS etc.
• Bank Reputation - Smooth online operation, Timely services etc.
• Core / Key Personnel- (CEO, CRO, CIO, CTO, CISO, BOM, PM, DBA,
NA, IS Auditor, IT Security Analyst etc.)

38
 Information Security Measures/Management

 Information security means protecting information and

information systems from unauthorized access, use, disclosure,
disruption, modification or destruction. (wikipedia.org)
 Principles/Attributes of Information Security:

 Confidentiality
 Integrity
 Availability
 Authenticity
 Accountability
 Non-repudiation
 High availability system
 CIA Triad of Info Security

40
[https://en.wikipedia.org/wiki/Information_security]
A number of extensions to the CIA Triad Model

41
[http://geraintw.blogspot.com/2012/09/cia-infosec.html]
 The Information Assurance model is a tool that is
dedicated to defend three key elements which are People,
Process and Technology.

42
[https://cybersecnugget.wordpress.com/author/yannial2/]
 Logical vs. Physical Security in E-Banking

 Logical security protects access to computer

systems / Network

 Physical security protects the site and

everything (IT/IS resources) located within
the site from physical damage.
 Physical Security
Lock & Key, Bank Vault, Credit Card Photo, Secure site for ATM booth etc
Physical Access List of authorized personnel, Maintain visitor’s record,
Control Door access using swipe card & password/biometric devices with facility
for recording entering & leaving information.
Power Electricity (proper wiring / concealed wiring), Redundant Online UPS,
Redundant Auto-Generator, Proper earthning, Lightening arestator, Surge
protector.
Redundant Air Industry Standard Precision cooling system to ensure smooth and stable
conditioners temperature for reliability and longevity of sensitive electronic equipment.
Maintain separate channel for Hot aisle and cold aisle in data center.
Dehumidifier For maintaining proper humidity in the air of Data center room.
Fire Control Fire and Smoke detectors, Fire Extinguisher,
Auto fire detection and protection system, Periodic fire drill
Emergency Exit This provision should have for the safe guard of people resources and high
cost sensitive equipments.
Location / Site Fire resistant wall, ceiling, door. Earthquake-resistant construction.
and Construction Green Environment and Green Data Center
Standard
Video Monitoring 24 hrs Video Surveillance, Video Recording, Preservation of Records for
min of 30 days., Intelligent CCTV and Video Analytics
 Logical Security

 Security Schemes concern about user authentication &

authorization:
 Password /PIN Protection
 Encrypted smart cards
 Biometrics / fingerprinting
 Firewalls/VPN/IPS

 Security Schemes concern about data and transaction

security:
 Secret key (Symmetric) encryption
 Public Key (Asymmetric) encryption
 Digital Signature and Certificate Authority
 Categorization of Authentication Methods:

User Knows User User User’s Physical Characteristics /

Possesses Behaviors / Physiological
Behavioral
 User name/ID Swipe Card Speech Finger print / Palm Print
and Password Proximity Signature Hand Geometry / pattern recognition
PIN Card Keyboarding Iris Recognition
Identifiable USB Token Rhythm/ Retinal Pattern
Picture Keystroke Matching through
One Time Dynamics facial patterns
Password • DNA (Deoxyribonucleic acid)

 Maintain both Authentication & Authorization Level.

 More Authorization Levels for Sensitive Financial Transactions.
 Introduce 2F-AM/Multi Factor-AM for secure online fund transfer.
 Four-factor authentication (4FA) is the use of four types of identity-confirming credentials,
typically categorized as knowledge, possession, inherence and location factors.
46
 IT Governance and its role to mitigate IT
Risk

IT Strategy Committee What & Why Strategic

How & Who Tactical

IT Steering Committee

What
Project Steering Project Steering Project Steering Who
Committee Committee Committee
When Operational
Where
How

Project-1 Project-2 Project-n

IT Governance and its role to mitigate IT Risk
Role and Formation of Information Security Committee (ISC)
 The role of the ISC is to devise strategies and policies for the protection of all
assets of the bank.
 The committee will also provide guidance and direction on the Security
Implications of the BCP and DRP.

Frequency of Meetings: Quarterly

Chaired by: ED/MD/CEO

Members:
 Head – Integrated Risk Management (/ CRO) – Convener
 Chief Information Officer (CIO)
 Head - Audit
 Head - Compliance
 Head - Human Resource
 Head - Business Operations
 Head - Administration
 Head - IT Assurance
 Chief Information Security Officer (CISO)
 Head - Physical Security
 An Organization Structure for Effective ITG

Board

MD

CIO Head - Integrated Head - Inspection & Audit

Risk M anagement

Head Head - Business IT Head - IT Head - IT Head - IT Head - IT Head - IT CISO IS Auditors
Technology Development O perations Services Mngt Assurance Supplier &
Resource Mngt
 Proposed Global ICT related Standards/Framework
for different Working/Functional Areas of Banks/FIs

Areas Standards
Strategic IT Alignment COBIT
IT Governance COBIT, ISO 38500
Architecture & Information
ISO 20022, TOGAF
Management
CMMI, ISO 15504, PRINCE 2, PMBOK,
Service Delivery
ITIL
ITIL, ISO 20000, OHSAS 18001, ISO
Service Management
22304
ISO 27001, PCI DSS, NIST, SOX, ISF
Information Security
SOGP
Workshop & Resource
SFIA
Management
VAL IT, Risk IT, ISO 31000, IEC 31010,
IT Risk Assessment/ Management
COSO-ERM
BB Policy Guidelines Related to
E-Banking (Regulatory
Compliance)
 Why Information/Cyber Security Awareness is
Important?
Internal threats is a big challenge !

 It's widely known that internal staff are the biggest threat to IT
security.
 Research conducted by the US CERT estimates that almost 40
percent of IT security breaches are perpetrated by people inside
the company. [http://www.zdnet.com/article]
 Many organizations focus primarily on protecting themselves
against hackers and other external threats.
 A recent Forrester report (2016) found that most data security
breaches happen because of employees, i.e. most data security
threats are internal. [http://blog.trendmicro.com]
 Nearly 90% of IT professionals believe the ‘insider threat’ is not a
technology issue. The vast majority (86%) of IT professionals
consider insider threats to be a purely cultural issue, and are not
aware that technology can help them address internal security
issues. [https://www.isdecisions.com/blog/]
 Why Information/Cyber Security
Awareness is Important?

 InfoSec is everyone’s responsibility, not just the InfoSec

department. It is the responsibility of all stakeholders of
business.
 To educate end-users (both customers and employees) of an
enterprise on their responsibility to help protect the C-I-A of
Info. and IS assets.
 When an enterprise’s employees are cyber security aware, it
means they understand -
o what cyber-threats are,
o the potential impact of it on their business,
o the steps required to reduce cyber/business risk,
o to prevent cyber-crime infiltrating their online workspace.
 Why Information/Cyber Security Awareness is
Important?

CyberSec aware customer/employees can save money of an enterprise.

The damages that follow a cyber-related incident can be expensive and
detrimental for business:
Loss of revenue
Reputation damage
Loss of clients
Operational disruptions
Lawsuits
Intellectual property (IP) cyber theft
Theft of personally identifiable information (PII)
Compromised client data, sensitive business information and
equipment
 IT Security Awareness:
A Sound Business Strategy
 Customer Awareness Tips for a secured
online banking
Tip#1 Create a strong password and memorize it for making transactions
Tip#2 Don’t use public/unprotected computing devices or public networks
for financial transactions
Tip#3 Delete/skip suspicious email/SMS with links
Tip#4 Avoid downloads from untrusted/insecure websites
Tip#5 Have an updated anti-virus software and browser
Tip#6 Use license Software and ensure regular update of security patch for
OS / Applications
Tip#7 Clear browser cache, cookies and history
Tip#8 Monitor your accounts regularly and alert messages sent by e-banking
system.
 Some Concluding Remarks -

 Cyber Security is the responsibility of all stake holders of Banks.

 Top management (BoDs and Executive management) should have active
participation in Cyber Security.
 Banks should remove the Gap of Cyber Security Knowledge & Skill at all levels of
stakeholders.
 Banks’ Tendency/Initiatives for Compliance only, not for Effectiveness.
 Continuous Real-time Risk Assessment, Review/Update and Monitoring of Cyber
Security Policy Implementation must be ensured.
 Adam Vincent, CTO-public sector at Layer 7 Technologies (a security services
provider to federal agencies (USA) including Defense Department organizations),
describe the problems:

“The threat is advancing quicker than we can keep up with it. The threat changes
faster than our idea of the risk. It is no longer possible to write a large white paper
about the risk to a particular system. You would be rewriting the white paper
constantly…”

59
THANKS ALL

Q&A