1. 1
FIRST UNION BANK
REPORT
Yogesh Kumar
The world has changed over
the last few years, especially
within banking. Its processes
– from retail transactions to
market operations – have
been transformed by
technology and continue to
evolve.
Northeastern University
ITC6320
2. 2
Best practices in security
are reactionary and
outdated. It’s time for a new
approach. In this webcast,
we will show you how the
threat landscape is
evolving and how to adapt
your security strategy to
new types of attacks.
Abandon the idea that
security success requires
100% prevention. We’re in
a post-prevention era,
where it is no longer enough
to prevent attacks—you
need a fast, focused
response to a breach. The
challenge is to define a
border around data that is
accessed from anywhere,
when users can access the
Internet from anywhere.
The cyberwar plan” published
in the National Journal in
2009: “in the months before
the U.S. invasion of Iraq in
March 2003, military
planners considered a
computerized attack to
disable the networks that
controlled Iraq’s banking
system, but they backed off
when they realized that those
networks were global and
connected to banks in
France.” A cyber attack
could contribute to, or trigger,
the financial collapse of a
nation, or even a group of
connected nations.
Between the 1880s and the
1930s, physical bank burglaries
were a substantial problem. To
counter these threats bank’s
employed vaults to protect their
contents from theft,
unauthorized use, fire, natural
disasters, and other threats.
During the 1950s,
researchers at the
Stanford Research
Institute invented
“ERMA”, the Electronic
Recording Method of
Accounting computer
processing system.
3. 3
Attackers activity and motivation
Targeting bank systems
directly to modify, delete
and steak data.
Criminal Capabilities:
Network intrusion, hackers-
for-hire, insiders (Witting and
unwitting)
Common actors: State-
sponsored, criminals,
hacktivists.
The targeted intrusion into a bank’s
systems is often perceived as the
greatest threat due to the malicious
actor’s ability to not only steal
data but modify or delete it. By
exploiting software, hardware or
human vulnerabilities hackers can
gain administrative control of
networks which, if abused, could
cause catastrophic consequences. If
published, network security breaches
can affect share prices, cause
irreparable reputational damage and
impact on the stability of the wider
financial market.
Targeting disruption of
access to bank network
systems and services.
Criminal Capabilities: Denial
of service, ransom ware
Common actors: State-
sponsored, criminals,
hacktivists.
Denial of Service (DoS) attacks are
increasing in scale and
effectiveness. Over the last 12-
months cyber actors have
increasingly utilized open domain
name servers to amplify their
attacks. A high-profile example of
this in 2013 was against Spamhaus,
which resulted in the largest
recorded DoS attack, reaching over
300 gigabytes per second (the
average being approximately 3).
The large scale harvesting of personal and business data to commit
fraud.
Key criminal capabilities: financial trojans, man-in-the-middle attacks, botnets,
exploit kits, spam, social engineering.
Common actors: Criminals, Terrorist (financing).
Financially motivated crime groups are a growing threat to banks. The growth in the “as-a-
service” nature of the marketplace is fuelling an increase in the number of traditional crime
groups and individuals drawn into cyber offending.
4. 4
The three main categories of malicious actors
involved in cyber-attacks.
5. 5
70% cases studied
(the insiders
exploited or attempt
to exploit, systemic
vulnerabilities in
applications and
process.
61% cases the
insiders exploited
vulnerabilities
inherent in the
hardware, software
or network design.
91% of all the
surveyed
organization
experienced
financial loss as a
result of insider
attack.
26% cases involved
the use of someone
else's computer
account, physical
use of unsecured
terminal or social
engineering.
Report “ Insider Threat Study: Illicit Cyber Activity in the Banking and Finance sector” (2004)
Instead of comprehensively
and systematically addressing
known vulnerabilities, many
banks have been content to
live with an “acceptable”
degree of operating
losses. Most banks hedged
their bets with insurance and
limited countermeasures,
many pursuing various
approaches to shift liability,
and the costs to implement
security controls, to others.
6. 6
Reasons for Inadequate Bank
Security Policy:
Inappropriate passwords and responding to social engineering
Internet and e-mail policy limitations
Responding to virues and other malware.
Inappropriate usage of systems including the servers, computers and
external media devices.
Inappropriate physical security measures to ensure the protection of
facilities, assets and personnel.
7. 7
References:
http://securityaffairs.co/wordpress/9346/cyber-crime/who-is-
attacking-the-financial-world-and-why.html
http://www.ft.com/cms/s/0/9de4a842-2ef6-11e4-a054-
00144feabdc0.html#axzz3PUdSWHiN
https://www.bba.org.uk/wp-
content/uploads/2014/06/BBAJ2110_Cyber_report_May_2014_WEB.p
df
Unofficial Floppies, CDs or Flash
Drives should not be used on office
systems. Floppy should be write-
protected if data is to be
transferred from floppy to system.
Keep the system screen saver
enabled with password protection.
Do not share or disclose your
password. User should not have
easily detectable passwords for
Network access, screen saver etc.
Change password at regular
intervals.
Backup should be maintained
regularly on the space provided on
central server of the department
or on the storage media as per
department policy. Keep the DATs
or other removable media in a
secure location away from the
Computer. For sensitive and
important data offsite backup
should be used.
Implementations for Security:
Keep portable equipment
secure. Report any loss of
data or accessories to the
System Administrator. Install
UPS system with adequate
battery backups to avoid any
data loss or corruption due to
power failure.
All file level security depends
upon the file system. Only the
most secure file system
should be chosen for the
server. Then user permission
for individual files, folders,
drives should be set. Avoid
creating junk files and
folders.
Users are not supposed to do
his or her personal work on
computers. Do not install or
copy software on system
without permission of
System administrator.
8. 8
Challenges for Kerberos Authentication
System
Biggest lose: assumption of secure
time system, and resolution of
synchronization required.
Password guessing: no
authentication is required to request
a ticket, hence attacker can gather
equivalent of /etc/password by
requesting many tickets.
Not a host-to-host protocol
Chosen plaintext: in CBC, prefix of an
encryption is encryption of a prefix,
so attacker can disassemble
messages and use just part of a
message.
Changes
We could fix Kerberos by challenge-response protocol during
authentication handshake. Could be fixed by D-H key exchange.
We can go with other protocols like SSL, TLS, SSH, IPsec etc.
Stop using iPad for few days till the time issue is not resolved.
Implement that secured protocol that will be safe for mobile
applications too.
RECOMMENDATIONS
Eliminate unnecessary data; keep tabs on what’s left.
Consider using the built-in security features that are provided with your Internet
browser instead of disabling them.
Always log out of the banking online site or application completely.
Use a current Internet browser with 128-bit encryption that supports secure and
private transactions.
If your computer is on a wireless network (home or public), ensure that the
router settings are secure, (encrypted). Using scanning devices, individuals can
intercept unencrypted signals and view or obtain your information.
It is recommended that clear the browser cache before starting an Online
Banking session in order to eliminate copies of web pages that have been stored
on the hard drive.
Use caution when downloading files, installing software, or opening email
attachments from unverified or unknown sources. Many of these files contain
spyware or key-logging programs that can send information back to a malicious
site.
Download apps only from trusted store and/or markets.
9. 9
To protect the bank from security breaches, you should adopt internal controls and guidelines
like the following:
Protect your machines. Place limits and controls on who has access to your computer systems.
Make sure your organization’s computers are running the latest operating system and versions
of software, web browser, and anti-virus protection. Check that your anti-virus software is up-
to-date and updated automatically.
Keep your computers up-to-date with security fixes by turning on Automatic Updates, and make
sure you reboot when prompted. Filter websites and use a good firewall with intrusion
prevention. And don’t do your banking from a computer that is used to surf the web – limit which
computers can be used to perform online banking.
Protect your password. Never give it to anyone and don’t write it down. Use a secure password
manager if you need help keeping track of many passwords.
Teach your employees to be cautious and suspicious, and never take e-mail at face value –
especially if it seems urgent or contains threats. These may be phishing attempts designed to
trick people into opening a malicious link or attachment. They should know to always check any
suspicious or unexpected communications by calling, e-mailing, or going to a website directly
instead of clicking any links.
Let us help you limit fraud. Use fraud protection services such as Positive Pay for checks issued
and ACH Monitoring Service, including debit and credit blocks for unauthorized ACH entries to
your account. Also, use payment templates to prevent unauthorized modifications, and ensure
that your payment limits reflect your typical transaction amounts.