CYBER SECURITY

AWARENESS
Ajay M. Nikumb
Founder & CEO – Soc Shashwat Pvt Ltd.
Director – SOC Analyst Pvt. Ltd.

Soc Shashwat Pvt Ltd., Pune

 THANKS

• To the management of Janseva Bank Pune

• All Participant.

Soc Shashwat Pvt Ltd., Pune 2

 INTRODUCTION :- SHASHWAT GROUP – INDIA

• Shashwat Solutions.

• SOC Analyst Pvt. Ltd.

• SOC Shashwat Pvt. Ltd.

• Location – Pune , Mumbai , Delhi.

SHASHWAT GROUP -OUR OFFERINGS

 Audits
 Consultancy
 Security
 Solution
 Training
 AUDITS

1. System Audit as per RBI Guidelines.

2. Migration Audit as per RBI Guidelines.
3. Network Audit as per RBI Guidelines.
4. Vulnerability Assessment and Penetration Test ( VAPT ).
5. Payment Card Industries Data Security Std. (PCI- DSS).
6. Sarbanes-Oxley ACT Compliance ( SOX )
7. Service organization control -2 (SOC 2).
8. Forensic
 INTRODUCTION
• Ajay M Nikumb
• Total 30 Year Experience in Information Technology.
• System Auditor
• PCI –DSS -Certified Payment industries Security Implementer.

• Publications
1) Cloud Security – Prerequisite of New Era
• Published in National Conference by SKN Sinhgad school of Business Management. Pune.
• ISBN: 978-93-5097-389-9
• 2) A Study of Human Excellence and its Effects on Life.
• Published By International Journal of Business, Management and Social Sciences.
• ISSN-2249-7463
• 3) Education In The Vision of Swami Vivekananda.
• Published in National Conference by SKN Sinhgad school of Business Management. Pune.
• ISBN 978-93-5097-389-9
• 4) Information Security - Book in Marathi – ISBN -978-81-933308-8-3
• 5) Information Security Policy for Co.Op Banks ( RBI guidelines)
• 6) Cyber security Policy for Co.Op. Banks ( As per RBI and CERT guidelines
 PROFESSIONAL MEMBERSHIPS

A. Life Member - Indian Institute of Materials Managements .

B. Life Member - National Council for CO OP. Training.( India).

C. Information System Audit and Control Association Chapter

D. Maratha Chamber of Commerce and Agriculture - Pune

E. Head – IT Cell -Sahakar Bharti Maharashtra.

F. Head – IT Training – Sahakar Bharti – Banking Section – Maharashtra.

Faculty Member – YASHDA Pune.

o Vike. Patil Institute of Banking Pune.
o Maharashtra - Bank Associations.
o Maharashtra – Sahakar Bharti
o Maharashtra – Patsanstha Federation
o Maharashtra – Various University & Collages
FEW SIMPLE EXPECTATIONS FROM YOU

• Be Positive.
• Be Interactive.
• Use Available time effectively.
• No questions is silly questions, So do not hesitate to ask questions .
CYBER SECURITY
AWARENESS
Ajay M. Nikumb
 WHAT IS SECURITY AWARENESS TRAINING?

1. Cybercriminals take advantage of your trust, fear, greed,

and plain old human error.

2.Security awareness training teaches you to spot fakes,

avoid risks online, and use good cyber-hygiene practices at
work and at home.

Soc Shashwat Pvt Ltd., Pune 10

 WHY DOES IT MATTER?

The world is getting more digital

 Business, banking, healthcare, etc. is all online

Crime is following the same trend

 Worldwide ransomware attacks
 High-profile hacks in the news
 Phishing emails are more sophisticated each day

New privacy laws and regulations are being enacted

 Many industries require training for compliance
Soc Shashwat Pvt Ltd., Pune 11
 WHY SHOULD YOU CARE

A. Because the online world is so interconnected, everyone is a target

B. If just one of your accounts gets breached, criminals can use it to
breach others
C. Criminals may target personal accounts and data to breach
corporate ones, and vice versa
D. Fraud and identity theft doesn’t just affect an individual; it can
affect your family, friends, co-workers, and business

Soc Shashwat Pvt Ltd., Pune 12

 WHAT KIND OF THREATS ARE THERE ?

1. Phishing and spear-phishing attacks

2. Business email compromise

3. Social engineering scams

4. Common malware and ransomware

5. Fake websites that steal data or infect devices

6. And much more

Soc Shashwat Pvt Ltd., Pune 13
• It’s not that dangerous online, though, right?

Nearly 1 in 3 phishing sites uses

1 in 50 URLs is malicious1
HTTPS to appear legitimate1

90% of the malware businesses Most breaches involve phishing

encounter is delivered via email2 and using stolen credentials2

Soc Shashwat Pvt Ltd., Pune 14

 DATA BREACHES IN 2022

•
• #cybersecurity #databreaches #datasecurity #informationsecurity
• https://www-cshub-com.cdn.ampproject.org/c/s/www.cshub.com/attacks/articles/the-biggest-data-breac
hes-and-leaks-of-2022/amp

Soc Shashwat Pvt Ltd., Pune 15

 HOW BAD IS THE RISK?

1. Small business face nearly the same level of risk as

large/enterprise organizations1
2. The average total cost of a data breach is now up to $3.92
million2

3. In India –Maharashtra region -nearly 50cr. Loss from Co. Op.

Sector.

Soc Shashwat Pvt Ltd., Pune 16

17
18
Soc Shashwat Pvt Ltd., Pune 19
 MOBILE VULNERABILITY

• 76% Location
• 76% Camera
• 57% Microphone
• 43% Contact
• 32% SMS
• 25% Fingerprints

Soc Shashwat Pvt Ltd., Pune 20

 MOBILE SECURITY

• Mobile Device Security Best Practices

• Enable user authentication.
• Use a password manager.
• Always run updates.
• Avoid public wi-fi.
• Antivirus
• Memory Scan
• Enable remote lock.
• Cloud backups.
• Use MDM
 RBI CIRCULAR ABOUT CYBER SECURITY

• RBI/2018-19/63
DCBS.CO.PCB.Cir.No.1/18.01.000/2018-19 October 19, 2018
• RBI Circular - 31-12-2019
 HACKERS

• Hackers Gather the Information of Banks.

• Two Type of Hackers In India
• One Attacks on Bank RTGS / NEFT Account from North India
• Other from Outside of India – Like North Korea , China, Nageria…
 HOW TO SECURED FROM SUCH HACKERS ?

• Secured your client Information.

Soc Shashwat Pvt Ltd., Pune 26

 INFORMATION SECURITY
DEFINITION'S ( REF 27001:2013)

• Information (Process Data )

• Information is an Asset like other important business Asset , is essential business and
consequently needs to be suitably protected.
 INFORMATION SECURITY
DEFINITION'S ( REF 27001:2013)

• Asset – Asset is something that has value to organizations , Its operation and continuity
 INFORMATION SECURITY

• Information Security is the protection of information from a wide range of

threats in order to ensure Business Continuity , Minimize Business Risk,
and Maximize return on investment and business opportunities.
 INFORMATION IS AVAILABLE IN VARIOUS FORM

• Written
• Oral
• Stored
• Printed
• Audio Visual
• Coded – Un coded
 INFORMATION ASSEMBLY

• From Social Networking ( FB, Twitter, WhatsApp, LinkedIn, Organization Website.. Etc.)
• KYC Documents ( PAN card, Adhar Card…Etc)
• Bank Statements……………
• Information Gathering
 INFORMATION ASSEMBLY
• MOBILE RECHARGE SHOP
• DEBIT CARD CLONING
• KEYLOGGER
• SMS SPOOFING
• CALL SPOOFING
• RANSOMWARE
• CYBER NUISANCE
• PICTURE MORPHING
• PROFILE HACKING
• ONLINE GAMES
• JOB CALL LETTER
• DATING WEBSITE
 INFORMATION SECURITY CHARACTERISTICS

• Confidentiality – Ensure that information is available only to those authorized to have access
 INFORMATION SECURITY CHARACTERISTICS

Integrity
Safeguarding the accuracy and completeness of information and processing method.
 INFORMATION SECURITY CHARACTERISTICS

• Availability
• Ensure that authorized user have access to information and associated asset when required
 INFORMATION SECURITY CHARACTERISTICS

• Confidentiality
• Integrity
• Availability
 RISK

• Risk is a potential of losing something of value

ORGANIZATION RISK
 OPERATIONAL RISK

• Direct or Indirect loss resulting from inadequate or Failed internal Process, People and
Technology or from external events.
 RISK CHARACTERISTICS

• 1) Avoid
• 2) Accept
• 3) Mitigate
• 4) Transfer
 INFORMATION SECURITY BREACH – COVID 19

• Almost 50 Cr loss for Co.Op. Banking Industries.

• 14 Cr. Nanded
• 4 Cr. Nagpur
• 2 Cr. Jalana
• 2 Cr. Kokan………..
• 1.36 Cr. Nasik……………………..
 ALMOST 50 CR LOSS FOR BANKING INDUSTRIES. – WHY ?

• RTGS accounts – HOST to HOST Connectivity.

• Bank Current accounts.
• Mobile Banking.
• Internet Banking.
 E-MAIL SECURITY
1. Train employees on email security best practices.
2. Don’t used free email for office purpose
3. Create strong passwords.
4. Don't reuse passwords across accounts.
5. Consider changing passwords regularly -- or not.
6. Use multifactor authentication (MFA).
7. Take phishing seriously.
8. Be wary of email attachments.
9. Don't click email links.
10.Don't use business email for personal use and vice versa.
11.Only use corporate email on approved devices.
12.Encrypt email, communications and attachments.
13.Avoid public Wi-Fi.
14.Use email security protocols.
15.Use email security tools.
16.Log out.
 WHO IS RESPONSIBLE FOR LOSS ?

1. Top Management ?
2. CEO ?
3. IT Head / IT Dept. ?
4. User ?
5. What RBI Says - ?
6. Who will suffer - ?
7 Types of Phishing Scams You Should Know About

45
 Email Phishing Scams

It may look like

an email from
your bank, Paypal,
Google, Amazon,
or even your CEO.
Spear Phishing Scams

This is when they target you

specifically. They have
researched you, they know your
family members, where you
work, and who is your boss. The
chances of fooling you are
higher.
 Smishing

Scams

These are text message phishing scams.

Criminals know people respond to text and
instant messages faster than email.
 Google
Search
Scams Search Result Shows
Brand
Title displays correct
You may be surprised, but some brand name

of the top search results in Google are URL Mismatch

phishing links.
Scammers also invest in search engine
optimization and work
hard to rank their scam sites
in the top search results.
Title says Venmo but URL
is a generic
sites.google.com
2nd Result for Organic
Search
Even top search results can
be manipulated for fake sites
 Social Media Scams

Social media is full

of fake accounts.
It could also be a fake
account with the same name
and photo as one of your
real friends that will later
try to scam you.
51
 QR Code Scams

Who thought a QR code

could be dangerous?

They are everywhere, especially in

restaurants. Criminals can place their
own sticker over the legitimate one. So
that when you scan it, you will be
redirected to a fake site.
Vishing Scams

Vishing (voice phishing) is a type

of phishing attack made over
the telephone.

Scammers can spoof a phone number that

looks identical to a known number, like your
Trusted Brands
bank.
Numbers for personal and
commercial contacts can be
spoofed.
 What Helps Protect You
From Phishing Attacks?

If it’s urgent, don’t let the emotions cloud your judgment

Call and verify! - Verify that you are talking to the correct person
Check the address - Always check the email address and URL
for spelling mistakes
Enable Multi-Factor Authentication
Look at the style of the message
Ask questions
 How long will it take
to crack your password

7 characters 1 minute
8 characters 1 hour
9 characters 3-4 days
10 characters 7 months
11 characters 40 year
12 characters 2000 years

Passwords include - Lowercase, Uppercase and Numbers

56
How to create a strong Password:

Passwords need to be long!

Use a phrase (NO personal info like your name or B-Day)

Don’t reuse passwords!

 SAMPLE PASSWORD

● I am a devotee of Sw@miji

● I love R@dha when I was in 10

● I love Abc when I was in 11#
● I love Xyz when I was in 12#

● Krushn@ and Me was classement in 11

58
 HOWEVER….

11 BILLION Accounts were stolen from

hacked sites and apps.

So even if you have a STRONG PASSWORD, it may

still not be enough.

You can check if yours was leaked at haveibeenpwned.com

And That is Why…

… You should enable Multi-Factor

Authentication

This will help to protect

your account if your password was stolen or
leaked in a data breach.
What type of Multi-Factor Authentication
to use?

Most common is text based (SMS),

but it’s the least secure

It’s better to use authenticator apps

like Google or Microsoft Authenticator

Or even better yet, a physical USB key

How to avoid getting hacked on public WiFi:

If you have the option to use your mobile data plan,

that’s better than public WiFi

Criminals often setup hotspots with fake Wifi Names,

so ask the Barista or Receptionist for the Official WiFi Name

Enable the Firewall on your device and use a VPN

(Try to avoid Free VPN’s - some are owned by criminals)
 Ransomware

When criminals hack

your computer or
network, lock you out,
and demand a ransom
to let you back in.
How to Avoid Ransomware

Don’t download files from random websites

Beware of phishing emails with attachments

(See phishing section)

Don’t use your company email or password for personal stuff

Don’t store password in text files or spreadsheets

How to use USB Safely

Avoid public charging stations.

They may be compromised.

Don’t plug any USB that isn’t yours into

your device

Encrypt the data on the USB device in case

you lose it or it gets stolen.
What is Wire Fraud?

It’s when you’re tricked into wiring money to a fraudulent bank account. For example:

An urgent request to wire money from a criminal who impersonates your CEO
through hacking your CEO’s email account.

They hacked one of your vendors and sent you an invoice with fake
bank information.

If you’re tricked into wiring money to a fraudulent bank account, the bank may not be there to
help you. After all, it’s you who transferred the money, not the criminal.
 ATM MACHIN

• Debit Card ( Cloning )

• PAN Number ( Issue Register )

• PIN Management ( User & Machin )

 ATM –

• ATM Machine -Username – Password

• Reconciliation
 CCTV

• CCTV – Location.
• Display – Location.
• Date –Time.
• Recording 90 Days.
• Sing board.
• DVR Location.
 NETWORK DEVICES – DEFAULT USERNAME

• Public IP.
• Firewall.
• Router.
• Switches ( Username / Password ).
• Wi- Fi Router.
 HACK YOUR SELF

• https://shop.hak5.org/

• Hardware RF Hacking With SDR…….

Soc Shashwat Pvt Ltd., Pune 71

YOU DON’T NEED TO BE NEXT IN LINE FOR THE DATA
BREACH

10 STEPS TO SECURE NETWORK

 10 STEPS (TIPS)

1. Keep Safe & Update your computer software

2. Keep Secured & Update your operating system
3. Don’t share Password or access to your computer
4. Never leave devices attended
5. Protect sensitive data
6. Use Mobile devices safely
7. Install Anti-virus protection
8. Backup your data
9. Beware of suspicious email and phone call
10. Practice good password management
 TIP # 1 : UPDATE YOUR COMPUTER SOFTWARE

• Risk :
 Most malware use security vulnerabilities in your internet browser or internet plug-
ins to infect your machine

• Precaution :
 Turn on Automatic Updates for your software as your operating system
 Use web browsers such as Chrome or Firefox that receive frequent, automatic
security updates
 Make sure to keep browser plug-ins (Flash, Java, etc.) up to date.
 TIP # 2 : UPDATE YOUR OPERATING SYSTEM

• Risk :
 No operating system is perfect, and all of them, if not fully patched, are at risk of
being exploited by hackers and viruses

• Precaution :
 Hit the windows key on your keyboard and search for “Check for Updates”
 Click "Advanced Options".
 Select Automatic (recommended) in the drop down menu and close the window
 TIP # 3 : DON’T SHARE ACCESS TO YOUR COMPUTER

• Risk :
 The ability to share files can be used to infect your computer with a virus or
compromise your identity.
• Precaution :
 Deny all file share and folders by restricting or having a strong password with
complexity
 If need arise to give access then enable the user rights for particular user of
group of user thru a policy defined by the organisation
 Do not allow an hardware devices in network like USB or External HDD
without scanning the devices thru Antivirus or any encryption mechanism
 TIP # 4 : NEVER LEAVE DEVICE UNATTENDED

• Risk :
 The physical security of your devices is just as important as their technical
security
• Precaution :
 If you need to leave your laptop, phone, or tablet for any length of time - lock
it up so no one else can use it.
 If you keep sensitive information on a flash drive or external hard drive, make
sure to keep these locked as well.
 For desktop computers, shut-down the system when not in use - or lock your
screen.
 TIP # 5 : PROTECT SENSITIVE DATA

• Risk :
 Be aware of sensitive data that you come into contact with, and associated
restrictions
• Precaution :
 Keep sensitive data (e.g., SSN's, credit card information, student records,
health information, etc.) off of your workstation, laptop, or mobile devices.
 Securely remove sensitive data files from your system when they are no
longer needed.
 Always use encryption when storing or transmitting sensitive data.
 TIP # 6 : USE MOBILE DEVICES SAFELY

• Risk :
 How much we rely on our mobile devices, and how susceptible they are to
attack, you'll want to make sure you are protected
 Precaution :
 Lock your device with a PIN or password - and never leave it unprotected in
public
 Only install apps from trusted sources.
 Keep your device's operating system updated.
 Avoid transmitting or storing personal information on the device.
 Most handheld devices are capable of employing data encryption - consult
your device's documentation for available options.
 TIP # 7 : INSTALL ANTI-VIRUS PROTECTION

• Risk :
 Downloading software from a non-credible source may potentially infect your
computer with viruses and may make your computer vulnerable to security
threats.

• Precaution :
 Only install an anti-virus program from a known and trusted source.
 An updated anti-virus program will alert you when a potential threatening file
is being downloaded onto your computer.
 Keep virus definitions, engines and software up to date to ensure your anti-
virus program remains effective.
 TIP # 8 : BACKUP YOUR DATA

• Risk :
 HDD Crash, Virus effecting the data , Data Corruption

• Precaution :
 Get a External Hard drive to back up your data daily
 Use Backup software and tapes to backup data and keep it in geographical
location for safety and availability of the data at DR Site
 Cloud backup services are available for data backup
 TIP # 9 : BEWARE OF SUSPICIOUS EMAIL AND PHONE CALL

• Risk :
 Phishing scam are a constant threat using various social engineering, cyber
criminals to trick you
• Precaution :
 Be suspicious of any official-looking email message or phone call that asks
for personal or financial information.
 Be skeptical of any email that you aren't expecting. Password thieves may
insist that immediate action is necessary and may pretend to be your friend
or some other trusted entity.
 Never send password , bank account numbers, Aadhar number , driver
license number via email . Decline such request even if asked thru Email
 TIP # 10 : PRACTICE GOOD PASSWORD MANAGEMENT

• Risk :
 We all have too many passwords to manage - and it's easy to take short-
cuts, like reusing the same password
• Precaution :
 Use long passwords – 8 to 20 characters or more is recommended.
 Use a strong mix of characters, and never use the same password for
multiple sites
 Don't share your passwords and don't write them down (especially not on a
post-it note attached to your monitor).
 Update your passwords periodically, at least once every 6 months (90 days is
better).
Soc Shashwat Pvt Ltd., Pune
 IT TEAM

• Backup - DR/ Cold Backup.

• Configuration Backup for Router / Firewall / Etc.
• Log Management and Backup.
• Log Monitoring.
• SOC Center.
 AUDITS

• System Audit – Once in Year.

• Infrastructure VAPT – Quarterly .
• CBS Application VAPT – Once in Year.
• Mobile Banking VAPT – Once in Year.
• Internet Banking Web Site VAPT – Once in year.
 AWARENESS TRAININGS

• VAPT Tools – ( Nessus, Acunetix , Nmap, Wireshark, Metasploit )

• Firewall Hands on. ( Fortinet, Sophos , Cyberoam……)
• Cyber Security Awareness for all staff.
• ISO 27001 ISMS Lead Auditor.
• Stress Management.
• Positive Attitude.
• And So Many…………….
 THANKS

• Q & A.

• Pl Contact for any support.

• Ajay M Nikumb
• Shashwat Solutions – Pune
• Visit us @ www.shashwatpune.com
• www.socanalyst.in
• Email Id: Sales@shashwatpune.com
• Contact us on: 9370643921,
• 8999866403
• 9225246815.