is security

advertisement
IS SECURITY
PERSPECTIVES FROM THE
BANKING INDUSTRY
AGUMA MPAIRWE
CISA,CIA,FCCA,B.A(HONS).
DEFINITIONS


INFORMATION SECURITY - ‘THE
PROCESS BY WHICH AN ORGANISATION
PROTECTS AND SECURES ITS SYSTEMS,
MEDIA AND FACILITIES THAT PROCESS
AND MAINTAIN INFORMATION VITAL TO
ITS OPERATIONS’ – FFIEC
BANKING – ‘THE BUSINESS ACTIVITY OF
ACCEPTING AND SAFEGUARDING THE
MONEY OWNED BY OTHER INDIVIDUALS
AND ENTITIES THEN LENDING OUT THIS
MONEY IN ORDER TO EARN A PROFIT’ INVESTORWORDS
IT SECURITY AND AUDIT
BEST PRACTICES - BANKS
 FEDERAL
FINANCIAL INSTITUTIONS
EXAMINATIONS COUNCIL (FFIEC).
 FFIEC IT EXAMINATION BOOKLETS
 FFIEC – US BASED ORGANISATION THAT
BRINGS TOGETHER ALL REGULATORS
OF THE US FINANCIAL SYSTEM
BANKING ACTIVITIES GENERAL









RECEIPT OF DEPOSITS (CASH,CHEQUE OR
ELECTRONIC)
SAFEGUARDING OF DEPOSITS
LENDING OF DEPOSITS TO OTHER PARTIES
INVESTMENT AND TREASURY ACTIVITIES –
PLACEMENT OF FUNDS, FOREX TRADING,
DERIVATIVES TRADING
AVAILING FUNDS TO THOSE THAT WISH TO
WITHDRAW THEM
GENERAL MANAGEMENT, ACCOUNTING AND
ADMINISTRATION
ALL THE ABOVE WILL INVOLVE THE USE OF SOME
FORM OF IT SYSTEM OR OTHER
ALL THE PROCESSES ABOVE PRESENT RISKS THAT
CAN BE EXPLOITED FOR PURPOSES OF FRAUD
IT SECURITY IS PARAMOUNT
BANKING ACTIVITIES





BANKS IN THE ‘TRUST’ BUSINESS
LEGAL, PROFESSIONAL AND ETHICAL
OBLIGATION TO KEEP CUSTOMER
INFORMATION AND AFFAIRS CONFIDENTIAL –
‘A FINANCIAL INSTITUTION’S EARNINGS, AND
CAPITAL CAN BE ADVERSELY AFFECTED IF
INFORMATION BECOMES KNOWN TO
UNAUTHORISED PARTIES, IS ALTERED, OR IS
NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC
ADVERSE PUBLICITY CAN LEAD TO
REPUTATIONAL RISK AND IN THE WORST
CASE A RUN ON A BANK.
THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY
AND AVAILABILITY OF INFORMATION
PARAMOUNT
IT SECURITY OBJECTIVES
 CONFIDENTIALITY
 INTEGRITY
 AVAILABILITY
 ACCOUNTABILITY
 ASSURANCE
 NOTE
- ACCOUNTABILITY AND
INTEGRITY REPRESENT ‘NON REPUDIATION’ - FFIEC
CHANGING BANK FRAUD
AND FRAUSTER PROFILE UGANDA
 IN
THE EARLY 2000’s AND BEFORE
 KEY FRAUDS WERE
 CHEQUE FRAUD, FORGED, ALTERED,
COUNTERFEIT.
 DEPOSIT SLIP FRAUD
 TYPICAL FRAUDSTER – MALE, 35 YEAR
OLD, LIMITED EDUCATION.
CHANGING BANK FRAUD
AND FRAUSTER PROFILE UGANDA





MID- 2005 TO DATE
ELECTRONIC FRAUD
ATM FRAUD
IN HOUSE BANK FRAUD – BY BANK
EMPLOYEES EITHER ALONE OR IN
COLLUSION WITH OUTSIDERS
TYPICAL FRAUDSTER – MALE OR FEMALE,
BANK EMPLOYEE, TRUSTED INSIDER,
EDUCATED, UNIVERSITY GRADUATE, IT
LITERATE (NOT NECESSARILY EXPERT!),
ONLINE FRAUD IMPLICATIONS





71% MORE CAUTIOUS WHEN SHOPPING
ONLINE
67% MORE ATTENTIVE WHEN PROVIDING
FINANCIAL AND PERSONAL INFORMATION
TO WEBSITES
28% ABANDON A PURCHANSE IF REDIRECTED TO ANOTHER SITE TO PROVIDE
PAYMENT INFORMATION
15% STOPPED SHOPPING ALTOGETHER AS
A RESULT OF ONLINE FRAUD CONCERNS –
USA SURVEY
INFORMATION WEBSITES




POTENTIAL LIABILITY AND CONSUMER
VIOLATIONS FOR INACCURATE OR INCOMPLETE
INFORMATION ABOUT PRODUCTS, SERVICES, AND
PRICING PRESENTED ON THE WEBSITE;
POTENTIAL ACCESS TO CONFIDENTIAL
FINANCIAL INSTITUTION OR CUSTOMER
INFORMATION IF THE WEBSITE IS NOT PROPERLY
ISOLATED FROM THE FINANCIAL INSTITUTION'S
INTERNAL NETWORK;
POTENTIAL LIABILITY FOR SPREADING VIRUSES
AND OTHER MALICIOUS CODE TO COMPUTERS
COMMUNICATING WITH THE INSTITUTION'S
WEBSITE; AND
NEGATIVE PUBLIC PERCEPTION IF THE
INSTITUTION'S ON-LINE SERVICES ARE
DISRUPTED OR IF ITS WEBSITE IS DEFACED OR
OTHERWISE PRESENTS INAPPROPRIATE OR
OFFENSIVE MATERIAL. -FFIEC
TRANSACTIONAL WEBSITES




SECURITY CONTROLS FOR SAFEGUARDING
CUSTOMER INFORMATION;
AUTHENTICATION PROCESSES -VERIFY THE
IDENTITY OF NEW CUSTOMERS AND
AUTHENTICATE EXISTING CUSTOMERS WHO
ACCESS E-BANKING SERVICES;
LIABILITY FOR UNAUTHORIZED TRANSACTIONS;
LOSSES FROM FRAUD IF THE INSTITUTION FAILS
TO VERIFY THE IDENTITY OF INDIVIDUALS OR
BUSINESSES APPLYING FOR NEW ACCOUNTS OR
CREDIT ON-LINE - FFIEC
RETAIL SERVICES
WHOLESALE SERVICES
ACCOUNT MANAGEMENT
ACCOUNT MANAGEMENT
BILL PAYMENT AND
PRESENTMENT
CASH MANAGEMENT
.
NEW ACCOUNT OPENING
CONSUMER WIRE
TRANSFERS
INVESTMENT/BROKERAGE
SERVICES
SMALL BUSINESS LOAN
APPLICATIONS, APPROVALS, OR
ADVANCES
COMMERCIAL WIRE TRANSFERS
LOAN APPLICATION AND
BUSINESS-TO-BUSINESS PAYMENTS
APPROVAL
ACCOUNT AGGREGATION
EMPLOYEE BENEFITS/PENSION
ADMINISTRATION
TRANSACTIONAL WEBSITES


POSSIBLE VIOLATIONS OF LAWS OR
REGULATIONS PERTAINING TO CONSUMER
PRIVACY, ANTI-MONEY LAUNDERING, ANTITERRORISM, OR THE CONTENT, TIMING, OR
DELIVERY OF REQUIRED CONSUMER
DISCLOSURES; AND
NEGATIVE PUBLIC PERCEPTION, CUSTOMER
DISSATISFACTION, AND POTENTIAL
LIABILITY RESULTING FROM FAILURE TO
PROCESS THIRD-PARTY PAYMENTS AS
DIRECTED OR WITHIN SPECIFIED TIME
FRAMES, LACK OF AVAILABILITY OF ON-LINE
SERVICES, OR UNAUTHORIZED ACCESS TO
CONFIDENTIAL CUSTOMER INFORMATION
DURING TRANSMISSION OR STORAGE. - FFIEC
SOURCE :FFIEC
ATM/CARD- FRAUD
 WHO
PICKS UP THE COST IF YOUR
CARD IS MISUSED, YOU OR YOUR
BANK?
 SOUTH AFRICA - TOTAL VALUE OF
ONLINE TRANSACTIONS – USD $285
MILLION
 SOUTH AFRICA - 2009 TOTAL LOSSES TO
BANKING INDUSTRY DUE TO LOST AND
STOLEN CARDS – USD 13MILLION –
PERSONAL FINANCE
ATM/DEBIT/CREDIT CARD –
RISKS





CARD INFORMATION HELD IN MAGNETIC
STRIPE INCLUDING PRIMARY ACCOUNT
NUMBER, EXPIRY DATE,
CARD CAN BE CLONED, IF DETAILS ON
MAGNETIC STRIPE CAN BE COPIED USING
SKIMMING DEVICES
CARD CAN BE STOLEN/LOST
USED FOR ‘CARDHOLDER NOT PRESENT’
TRANSACTIONS – OVER PHONE OR ONLINE
PIN CAN BE OBTAINED USING HIDDEN
CAMERAS IN ATM LOCATION OR CCTV
CAMERAS IN VIEW OF THE KEYPAD!
CARD SKIMMING









INVOLVES THE USE OF DEVICES THAT READ
CARD DETAILS CONTAINED IN THE MAGNETIC
STRIP OF THE CARD
CAB BE PLACED IN THE ATM CARD SLOT
OR CAN BE HAND HELD (POCKET)
RESTAURANTS HIGH RISK!
BEGAN TO OBSERVE COMPLAINTS IN UGANDA
DISCUSSION AT BANKERS ASSOSCIATION
FRAUD AND FORGERIES SUB-COMMITTEE
CASES OF FRAUD REPORTED BY MEMBER
BANKS
CUSTOMERS USUALLY HAD TRAVELLED
ABROAD AT SOME POINT IN TIME
SOUTH AFRICA – MENTIONED AS A DESINATION
VISITED IN SOME CASES
CARD SKIMMING
 ABSA
177 ARRESTS, 26 SKIMMING
DEVICES CAPTURED IN 2011 - PERSONAL
FINANCE
 COST
TO THE US - $60 MILLION PER
YEAR! – CSO ONLINE
ATM RISK MITIGANTS







CHIP AND PIN BASED CARDS.
AWARENESS TRAINING FOR CUSTOMERS!!
PHYSICAL SECURITY
CAUTION AT ATM SITES – WATCH OUT
FOR CAMERA’S, SKIMMING DEVICES
SHIELD ENTRY OF PIN AT ATM WITH
HAND/WALLET
REGULAR CHECKING OF CARD BALANCES
MERCHANT TRAINING
INTERNAL ACCOUNT
TRANSFERS





INCRESINGLY COMMON FRAUD IN
INDUSTRY
INVOLVES UNAUTHORISED ‘CREATION’
OF DEPOSITS
DEBIT ‘OVERCROWDED’ ACCOUNT WITH
SEVERAL ITEMS DIFFICULT TO TRACE E.G
SUSPENSE ACCOUNT
CREDIT IS MADE TO CUSTOMER ACCOUNT
FUNDS ARE WITHDRAWN!
POSSIBLE SOLUTIONS





COMBINATION OF ROLE BASED ACCESS
AND LEAST PRIVILEDGE RESTRICTIONS
CAN BE ENFORCED
RESTRICT TELLER OR OPERATIONS STAFF
ABILITY TO POST TRANSACTIONS TO
ADMINISTRATIVE ACCOUNTS E.G FIXED
ASSET ACCCOUNTS
RESTRIC FINANCE DEPARTMENT STAFF
ABILITY TO POST TRANSACTIONS
DIRECTLY TO CUSTOMER ACCOUNTS
G.L AUDIT REVIEW –PERIODIC
CLEAR TIMELINES FOR CLEARING OFF
ITEMS IN SUSPENSE, TRANSIT AND
CLEARING ACCOUNTS
IT PROJECT MANAGEMENT
RISKS









INADEQUATE SECURITY FEATURES ENFORCED
DURING IMPLEMENTATION OF IT APPLICATION
SYSTEMS
OBSERVED IN BANKING INDUSTRY IN THE PAST
MUST PROVIDE FOR:
GENERAL ACCESS CONTROLS
IDENTIFICATION AND AUTHENTICATION
CONTROLS
AUDIT TRAIL
COMMUNICATION CONTROLS – KELLY KIM 2008
DATA MIGRATION CONTROLS – IMPORTANT
TAKE ACCOUNT OF FACT THAT BANK SYSTEMS
MAY NEED TO BE ONLINE 24/7/365
PROJECT MANAGEMENT
 PROJECT
MANAGEMENT –
 BASELINE CONTROLS IMPLEMENTED
 IS AUDIT INVOLVEMENT
 POST IMPLEMENTATION REVIEW
 REGULATORY CERTIFICATION PRE IMPLEMENTATION
TREASURY







HIGH RISK AREA
BANK IS INVESTING OR TRADING
MONEY MARKET PRODUCTS
FOREIGN CURRENCY (FX)
DERIVATIVES
TRANSACTION SIZES MAY BE VERY LARGE
POTENTIAL FOR PROFIT/LOSSES MAY BE
VERY LARGE DEPENDING ON MARKET
CONDITIONS
TREASURY RISK






APPROVAL TO COMMIT THE BANK GIVEN TO
TRADERS BEFORE TRANSACTION THROUGH
THE USE OF VARIOUS LIMITS
MONITORING OF COMPLIANCE WITH LIMITS IS
CRITICAL TO RISK MANAGEMENT IN TRASURY
SEGREGATION OF DUTIES IS ALSO CRITICAL (
FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE)
TRADERS MUST NO HAVE ACCESS TO RATE
REVALUATION SYSTEMS – COULD HIDE LOSSES
TRADERS SHOULD NOT HAVE ACCESS TO
CONFIRMATION AND SETTLEMENT SYSTEMS –
COULD HIDE TRADES AND LOSSES
IT SECURITY DESIGN IMPORTANT TO DEAL WITH
THESE ISSUES
TREASURY –KEY BANK
LOSSES/FRAUDS



2002 TRADER JOHN RUSNACK - £485 MILLION
LOSS TO ALLIED IRISH BANK – TAMPERED
WITH REUTERS RATES FEED
2008 TRADER JEROME KERVIEL – $ 7 BILLION
LOSS – HAD PREVIOUSLY WORKED IN BACK
OFFICE, HID TRANSACTIONS (TRADES),
FALSIFIED E-MAIL, - FVTER
1995 – trader NICK LEESON – HID £865M LOSSES,
BROUGHT DOWN BARINGS BANK…..INTEGRATED
IT SYSTEMS COULD HAVE PREVENTED BANK
COLLAPSE - COMPUTERWEEKLY
COSO –CONTROL MODEL
MONITORING
INFORMATION AND COMMUNICATION
CONTROL PROCEDURES
RISK ASSESSMENT
CONTROL ENVIRONMENT
IT GOVERNANCE
 ‘FINANCIAL
INSTITUTIONS SHOULD
IMPLEMENT AN ONGOING SECURITY
PROCESS AND INSTITUTE
APPROPRIATE GOVERNANCE FOR THE
SECURITY FUNCTION, ASSIGNING
CLEAR AND APPROPRIATE ROLES AND
RESPONSIBILITIES TO THE BOARD OF
DIRECTORS, MANAGEMENT AND
EMPLOYEES’ - FFIEC
IS SECURITY STRATEGY





FINANCIAL INSTITUTIONS SHOULD DEVELOP
A STRATEGY THAT DEFINES CONTROL
OBJECTIVES AND ESTABLISHES AN
IMPLEMENTATION PLAN. THE SECURITY
STRATEGY SHOULD INCLUDE
APPROPRIATE CONSIDERATION OF
PREVENTION, DETECTION, AND RESPONSE
MECHANISMS,
IMPLEMENTATION OF THE LEAST
PERMISSIONS AND LEAST PRIVILEGES
CONCEPTS,
LAYERED CONTROLS THAT ESTABLISH
MULTIPLE CONTROL POINTS BETWEEN
THREATS AND ORGANIZATION ASSETS, AND
POLICIES THAT GUIDE OFFICERS AND
EMPLOYEES IN IMPLEMENTING THE
SECURITY PROGRAM. -FFIEC
IT RISK ASSESSMENT



GATHERS DATA REGARDING THE INFORMATION
AND TECHNOLOGY ASSETS OF THE
ORGANIZATION, THREATS TO THOSE ASSETS,
VULNERABILITIES, EXISTING SECURITY
CONTROLS AND PROCESSES, AND THE CURRENT
SECURITY STANDARDS AND REQUIREMENTS;
ANALYZES THE PROBABILITY AND IMPACT
ASSOCIATED WITH THE KNOWN THREATS AND
VULNERABILITIES TO THEIR ASSETS; AND
PRIORITIZES THE RISKS PRESENT DUE TO
THREATS AND VULNERABILITIES TO
DETERMINE THE APPROPRIATE LEVEL OF
TRAINING, CONTROLS, AND ASSURANCE
NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC
IT RISK ASSESSMENT








BOTH TECHNICAL AND NON-TECHNICAL
INFORMATION SHOULD BE GATHERED.
TECHNICAL INFORMATION –
NETWORK MAPS DETAILING INTERNAL AND
EXTERNAL CONNECTIVITY;
HARDWARE AND SOFTWARE INVENTORIES;
DATABASES AND FILES THAT CONTAIN CRITICAL
AND/OR CONFIDENTIAL INFORMATION;
PROCESSING ARRANGEMENTS AND INTERFACES
WITH EXTERNAL ENTITIES;
HARDWARE AND SOFTWARE CONFIGURATIONS;
POLICIES, STANDARDS, AND PROCEDURES FOR
THE OPERATION, MAINTENANCE, UPGRADING,
AND MONITORING OF TECHNICAL SYSTEMS.FFIEC
IT RISK ASSESSMENT






NON-TECHNICAL INFORMATION
POLICIES, STANDARDS, AND PROCEDURES
ADDRESSING PHYSICAL SECURITY (INCLUDING
FACILITIES AS WELL AS INFORMATION ASSETS THAT
INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS
AND SIGNATURE CARDS, AND KEY AND ACCESS CODE
LISTS),
PERSONNEL SECURITY (INCLUDING HIRING
BACKGROUND CHECKS AND BEHAVIOUR
MONITORING),
VENDOR CONTRACTS, PERSONNEL SECURITY
TRAINING AND EXPERTISE, AND
INSURANCE COVERAGE.
ADDITIONALLY, INFORMATION REGARDING CONTROL
EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY,
THAT INFORMATION COMES FROM SECURITY
MONITORING, INCLUDING SELF-ASSESSMENTS,
METRICS, AND INDEPENDENT TESTS.
FFIEC
IT SYSTEMS ASSESSMENT
 ‘SOME
SYSTEMS AND DATA STORES
MAY NOT BE READILY
APPARENT. FOR EXAMPLE, BACKUP
TAPES, PORTABLE COMPUTERS,
PERSONAL DIGITAL ASSISTANTS,
MEDIA SUCH AS COMPACT DISKS,
MICRO DRIVES, AND DISKETTES, AND
MEDIA USED IN SOFTWARE
DEVELOPMENT AND TESTING
SHOULD BE CONSIDERED’. - FFIEC
IT THREATS AND
VULNERABILITIES




THREATS -EVENTS THAT COULD CAUSE HARM
TO THE CONFIDENTIALITY, INTEGRITY, OR
AVAILABILITY OF INFORMATION OR
INFORMATION SYSTEMS.
EXPLOITING A VULNERABILITY TO CAUSE
HARM THROUGH THE UNAUTHORIZED
DISCLOSURE, MISUSE, ALTERATION, OR
DESTRUCTION OF INFORMATION OR
INFORMATION SYSTEMS.
INTERNAL (MALICIOUS OR INCOMPETENT
EMPLOYEES, CONTRACTORS, SERVICE
PROVIDERS, AND FORMER INSIDERS)
EXTERNAL (CRIMINALS, RECREATIONAL
HACKERS, COMPETITORS, AND TERRORISTS). FFIEC
IT THREATS AND
VULNERABILITIES


VULNERABILITIES - WEAKNESSES IN A
SYSTEM, OR CONTROL GAPS THAT, IF
EXPLOITED, COULD RESULT IN THE
UNAUTHORIZED DISCLOSURE, MISUSE,
ALTERATION, OR DESTRUCTION OF
INFORMATION OR INFORMATION SYSTEMS.
VULNERABILITIES ARE GENERALLY
GROUPED INTO TWO TYPES: KNOWN AND
EXPECTED. - FFIEC
VULNERABILITIES






KNOWN VULNERABILITIES - DISCOVERED BY
TESTING OR OTHER REVIEWS OF THE
ENVIRONMENT, KNOWLEDGE OF POLICY
WEAKNESSES, KNOWLEDGE OF INADEQUATE
IMPLEMENTATIONS, AND KNOWLEDGE OF
PERSONNEL ISSUES. .
EXPECTED VULNERABILITIES - THOSE THAT CAN
REASONABLY BE ANTICIPATED TO ARISE IN THE
FUTURE. EXAMPLES
UNPATCHED SOFTWARE,
NEW AND UNIQUE ATTACK METHODOLOGIES THAT
BYPASS CURRENT CONTROLS,
EMPLOYEE AND CONTRACTOR FAILURES TO
PERFORM SECURITY DUTIES SATISFACTORILY,
PERSONNEL TURNOVER - FFIEC
IT SECURITY POLICY








KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS
OF A SECURITY POLICY ARE
IMPLEMENTING THROUGH ORDINARY MEANS,
SUCH AS SYSTEM ADMINISTRATION PROCEDURES
AND ACCEPTABLE-USE POLICIES;
ENFORCING POLICY THROUGH SECURITY TOOLS
AND SANCTIONS;
DELINEATING THE AREAS OF RESPONSIBILITY FOR
USERS, ADMINISTRATORS, AND MANAGERS;
COMMUNICATING IN A CLEAR, UNDERSTANDABLE
MANNER TO ALL CONCERNED;
OBTAINING EMPLOYEE CERTIFICATION THAT
THEY HAVE READ AND UNDERSTOOD THE POLICY;
PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN
THE ENVIRONMENT; AND
CONDUCTING ANNUALLY A REVIEW AND
APPROVAL BY THE BOARD OF DIRECTORS. - FFIEC
SECURITY DOMAINS






A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH
ITS OWN POLICIES AND CONTROL MECHANISMS.
SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY
CONSTRUCTED FROM ROUTING CONTROLS AND
DIRECTORIES.
DOMAINS CONSTRUCTED FROM ROUTING CONTROLS
MAY BE BOUNDED BY NETWORK PERIMETERS WITH
PERIMETER CONTROLS.
THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED
FROM WHAT MAY BE TRUSTWORTHY. THE
PERIMETERS SERVE AS WELL-DEFINED TRANSITION
POINTS BETWEEN TRUST AREAS WHERE POLICY
ENFORCEMENT AND MONITORING TAKES PLACE.
AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED
ZONE (DMZ), BOUNDED BY A PERIMETER THAT
CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE
INSTITUTION.
DOMAINS CONSTRUCTED FROM DIRECTORIES MAY
LIMIT ACCESS TO NETWORK RESOURCES AND
APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC
DEFENSE IN DEPTH








FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE
LAYERS OF SECURITY CONTROLS
ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE
ATTACKER AND THE ASSET BEING ATTACKED.
AN INTERNET SECURITY - A PACKET FILTERING
ROUTER WITH STRICT ACCESS CONTROL RULES, IN
FRONT OF
AN APPLICATION LEVEL FIREWALL, IN FRONT OF
WEB SERVERS, IN FRONT OF
A TRANSACTIONAL SERVER, IN FRONT OF
A DATABASE SERVER, WITH INTRUSION DETECTION
SYSTEMS LOCATED AT VARIOUS POINTS BETWEEN THE
SERVERS AND ON CERTAIN HOSTS.
THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS
THROUGHOUT THE COMMUNICATION AND
TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH
SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY
ATTACK AN ASSET, EACH LAYER MUST BE
PENETRATED. WITH EACH PENETRATION, THE
PROBABILITY OF DETECTING THE ATTACKER INCREASES.
- FFIEC
NETWORK SECURITY





FINANCIAL INSTITUTIONS SHOULD SECURE
ACCESS TO THEIR COMPUTER NETWORKS
THROUGH MULTIPLE LAYERS OF ACCESS
CONTROLS TO PROTECT AGAINST UNAUTHORIZED
ACCESS. INSTITUTIONS SHOULD
GROUP NETWORK SERVERS, APPLICATIONS, DATA,
AND USERS INTO SECURITY DOMAINS (E.G.,
UNTRUSTED EXTERNAL NETWORKS, EXTERNAL
SERVICE PROVIDERS, OR VARIOUS INTERNAL USER
SYSTEMS);
ESTABLISH APPROPRIATE ACCESS REQUIREMENTS
WITHIN AND BETWEEN EACH SECURITY DOMAIN;
IMPLEMENT APPROPRIATE TECHNOLOGICAL
CONTROLS TO MEET THOSE ACCESS
REQUIREMENTS CONSISTENTLY; AND
MONITOR CROSS-DOMAIN ACCESS FOR SECURITY
POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. -
FFIEC
OPERATING SYSTEM
SECURITY






FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS
TO THE OPERATING SYSTEMS OF ALL SYSTEM
COMPONENTS BY
SECURING ACCESS TO SYSTEM UTILITIES,
RESTRICTING AND MONITORING PRIVILEGED
ACCESS,
LOGGING AND MONITORING USER OR PROGRAM
ACCESS TO SENSITIVE RESOURCES AND ALERTING
ON SECURITY EVENTS,
UPDATING THE OPERATING SYSTEMS WITH
SECURITY PATCHES, AND
SECURING THE DEVICES THAT CAN ACCESS THE
OPERATING SYSTEM THROUGH PHYSICAL AND
LOGICAL MEANS. -FFIEC
APPLICATION SECURITY






FINANCIAL INSTITUTIONS SHOULD CONTROL
ACCESS TO APPLICATIONS BY
USING AUTHENTICATION AND
AUTHORIZATION CONTROLS APPROPRIATELY
ROBUST FOR THE RISK OF THE APPLICATION,
MONITORING ACCESS RIGHTS TO ENSURE
THEY ARE THE MINIMUM REQUIRED FOR THE
USER'S CURRENT BUSINESS NEEDS,
USING TIME-OF-DAY LIMITATIONS ON
ACCESS AS APPROPRIATE,
LOGGING ACCESS AND SECURITY EVENTS,
AND
USING SOFTWARE THAT ENABLES RAPID
ANALYSIS OF USER ACTIVITIES. - FFIEC
REMOTE ACCESS CONTROLS







FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE
ACCESS TO AND FROM THEIR SYSTEMS BY
DISABLING REMOTE COMMUNICATIONS IF NO
BUSINESS NEED EXISTS,
TIGHTLY CONTROLLING ACCESS THROUGH
MANAGEMENT APPROVALS AND SUBSEQUENT AUDITS,
IMPLEMENTING ROBUST CONTROLS OVER
CONFIGURATIONS AT BOTH ENDS OF THE REMOTE
CONNECTION TO PREVENT POTENTIAL MALICIOUS
USE,
LOGGING AND MONITORING ALL REMOTE ACCESS
COMMUNICATIONS,
SECURING REMOTE ACCESS DEVICES, AND
USING STRONG AUTHENTICATION AND ENCRYPTION
TO SECURE COMMUNICATIONS - FFIEC
PHYSICAL ACCESS CONTROLS




FINANCIAL INSTITUTIONS SHOULD DEFINE
PHYSICAL SECURITY ZONES AND IMPLEMENT
APPROPRIATE PREVENTATIVE AND
DETECTIVE CONTROLS IN EACH ZONE TO
PROTECT AGAINST THE RISKS OF
PHYSICAL PENETRATION BY MALICIOUS OR
UNAUTHORIZED PEOPLE,
DAMAGE FROM ENVIRONMENTAL
CONTAMINANTS, AND
ELECTRONIC PENETRATION THROUGH
ACTIVE OR PASSIVE ELECTRONIC EMISSIONS.
- FFIEC
ENCRYPTION CONTROLS





FINANCIAL INSTITUTIONS SHOULD EMPLOY
ENCRYPTION TO MITIGATE THE RISK OF
DISCLOSURE OR ALTERATION OF SENSITIVE
INFORMATION IN STORAGE AND TRANSIT.
ENCRYPTION IMPLEMENTATIONS SHOULD
INCLUDE ENCRYPTION STRENGTH
SUFFICIENT TO PROTECT THE INFORMATION
FROM DISCLOSURE UNTIL SUCH TIME AS
DISCLOSURE POSES NO MATERIAL RISK,
EFFECTIVE KEY MANAGEMENT PRACTICES,
ROBUST RELIABILITY, AND
APPROPRIATE PROTECTION OF THE
ENCRYPTED COMMUNICATION'S ENDPOINTS FFIEC
ENCRYPTION KEY
MANAGEMENT










GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC
SYSTEMS AND DIFFERENT APPLICATIONS;
GENERATING AND OBTAINING PUBLIC KEYS;
DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING
HOW KEYS SHOULD BE ACTIVATED WHEN RECEIVED;
STORING KEYS, INCLUDING HOW AUTHORIZED USERS
OBTAIN ACCESS TO KEYS;
CHANGING OR UPDATING KEYS, INCLUDING RULES ON
WHEN KEYS SHOULD BE CHANGED AND HOW THIS WILL
BE DONE;
DEALING WITH COMPROMISED KEYS;
REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE
WITHDRAWN OR DEACTIVATED;
RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS
PART OF BUSINESS CONTINUITY MANAGEMENT;
ARCHIVING KEYS;
DESTROYING KEYS -FFIEC
MONITORING






MONITORING NETWORK AND HOST ACTIVITY TO
IDENTIFY POLICY VIOLATIONS AND ANOMALOUS
BEHAVIOR;
MONITORING HOST AND NETWORK CONDITION TO
IDENTIFY UNAUTHORIZED CONFIGURATION AND
OTHER CONDITIONS WHICH INCREASE THE RISK OF
INTRUSION OR OTHER SECURITY EVENTS;
ANALYZING THE RESULTS OF MONITORING TO
ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY,
ESCALATE, REPORT, AND GUIDE RESPONSES TO
SECURITY EVENTS; AND
RESPONDING TO INTRUSIONS AND OTHER SECURITY
EVENTS AND WEAKNESSES TO APPROPRIATELY
MITIGATE THE RISK TO THE INSTITUTION AND ITS
CUSTOMERS, AND TO RESTORE THE INSTITUTION'S
SYSTEMS.
MONITORING SHOULD, COMMENSURATE WITH THE
RISK, IDENTIFY CONTROL FAILURES BEFORE A
SECURITY INCIDENT OCCURS, DETECT AN INTRUSION
IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND
TIMELY RESPONSE,
SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC
FUTURE TRENDS/THREATS









DEPEND ON TECHNOLOGY TRENDS
TELECOMS AND BANKING CONVERGENCE
RISKS IN MOBILE MONEY INDUSTRY
CLOUD COMPUTING
MOBILE COMPUTING AND WIRELESS
COMPUTING THREATS
EASE OF ACCESS TO INTERNET AND TOOLS
TO COMMIT FRAUD
FASTER SPEEDS FOR INTERNET ACCESS IN
EAST AFRICA
GREATER OUTSOURCING?
NEW IT SAVVY GENERATION?
SOLUTIONS








IT AWARENESS
USER AND CUSTOMER TRAINING
STAFF SCREEENING
ETHICAL EMPHASIS
EMBEDDING STRONG CONTROL AND RISK
CULTURE IN BANKS
SYSTEMS CERTIFICATION BY REGULATORS
BEFORE DEPLOYMENT
STRENGHTEN IT CONTROL, SECURITY, AUDIT
PROFESSION AND TRAIN MORE
PROFESSIONALS
INCREASE CEO AND BOARD AWARENESS
OTHER BEST PRACTICES
 ISO
17799 : CODE OF PRACTIVE FOR
INFORMATION SECURITY
MANAGEMENT
 BS 7799: SPECIFICATION FOR
INFORMATION SECURITY
MANAGEMENT SYSTEMS
 COBIT
.

QUESTIONS?
REFERENCES







http://ithandbook.ffiec.gov/it-booklets.aspx
http://www.securitymanagement.com/article/atm-fraud-trendseurope-006362
http://www.bizreport.com/2009/03/consumers_in_the_us_are.html#
http://www.csoonline.com/article/555863/atm-skimming-how-torecognize-card-fraud
http://iss.gwu.edu/merlincgi/p/downloadFile/d/21440/n/off/other/1/name/BaselineSecurityRequi
rementsandControls-Techn/
http://fvter.wordpress.com/2008/01/30/kervielsociete-generaleinformation-security-insider-threat/
http://www.computerweekly.com/Articles/2009/10/27/238308/Podcastinterview-Nick-Leeson-says-Integrated-IT-could-have-preventedBarings.htm
Download