Binghamton Bank Risk Analysis

Infrastructure DivisionChloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau

Application DivisionZachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter

Binghamton Bank Risk Analysis

1

Infrastructure Risk Analysis

Application Risk Analysis Summary

Executive Summary

Aegis Analysis

Overview of Binghamton

Bank

2

Agenda



Executive Summary

Aegis Analysis


Bank

3

Overview of Binghamton Bank

• Largest bank in Northeast with headquarters in Boston, MA• Specialized in commercial, retail, and investment banking• $50 billion in assets, 20th largest bank holding company in the

United States • New CEO, Conner Wayne• Rebranded slogan: “Building a Sanctuary for your Future”

4

Background of Binghamton Bank

Needs enhancement of applications and infrastructures to create a cost-efficient improvement to customer satisfaction

Software upgrade Issues• Stopped payments for 2 hours• Large monetary loss

Web Application Issues• Customers could not access their accounts• Log-in troubles

Reliability and Reputation Issues• Customers still question the reliability of the bank’s IT systems

5

Binghamton Bank Challenges



Aegis Analysis


Bank

6

Executive Summary

Aegis Analysis

Risk Evaluation Tool• Designed and developed a risk evaluation tool that determines inherent risk, control

strength, and residual risk by assessing client responses

Risk Criteria• Operational

Risks associated with functions inside of the company and risks that affect the internal day-to-day activities

• FinancialRisks associated with business transactions including both financial dealings and non-monetary trading and sharing

• TechnologicalRisks resulting from failures or errors by IT devices or systems put in place by the company

• ExternalAny associated risk due to an uncontrollable occurrence outside of the company

7

Aegis Analysis



Executive Summary

Aegis Analysis


Bank

8

Executive Summary

9

Infrastructure

Risks• Reliant on external vendors for

ATM operations• Lacking emergency protocol

Recommendations• Implement transitional vendors

Risks• Weak security leads to

possibility of compromised information and reputational loss

Recommendations• Boost remote access security

1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security

Risks• No data encryption• Weak failure prevention

Recommendations• Encrypt server information• Test contingency plan• Upgrade servers

Application

Risks• Poor information security• Limited employee training

Expected Outcome• Loss of sensitive client data• Prone to social engineering and

regulation violations

Risks• System overload• Lack of backup system

Expected Outcome• Application failure• Reputational harm• Data loss

1. BODPS 2. NorthGo 3. FIN

Risks• Short RTO• Application failure

Expected Outcome• Serious monetary loss• Halt of Binghamton Bank’s

operations

Executive Summary

Risks• Reliant numerous critical vendors

to operate ATM’s

• Lacking emergency plan for failed vendors

• Alternative power source is unavailable

Recommendations• Increase vendor reliability

awareness

• Implement Automatic Transfer Switch (ATS)

• Contract transitional vendors

1. ATM Vendor Dependency

Risks• No encryption of sensitive

information

• Contingency plan not tested frequently

• Servers are not up to date

Recommendations• Upgrade servers to Windows

Server 2012 R2

• Utilize COBIT

• Enable SSL certificates

• Encrypt sensitive information

• Test contingency plan

3. Disaster Recovery – Server Security

Risks• Weak preventions for network

access

• Sensitive information not encrypted

• Weak authentication for account access

Recommendations• Acquire SSL certificates

• Require remote access through Virtual Machines

• Enable Remote Wipe on employee devices

• Prevent unauthorized network access

2. Online Banking Remote Security

10

Infrastructure Summary



Executive Summary

Aegis Analysis


Bank

11


ATM’s Operational Financial Technological ExternalInherent Risk 53 40 78 67Control Strength 28 10 25 9

Residual Risk 38 36 58 60

• Processes 2,000-5,0000 transactions per hour

• ATMs require 7 or more critical vendors to operate

• Negative press has the potential to reach national news

Inherent Risk

Technological• ATMs do not have backup power plans in place

External• Currently no transitional vendors in place• Binghamton Bank takes no precautions to

ensure that vendors are reliable

Control Observations

12


Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100

Note

• On average, ATM’s process 180% more transactions per hour than online banking systems

• Reputational Issues• Dependence on processes outside of

Binghamton Bank’s control• Potential for negative media• ATM failures could seriously affect

reputation of new CEO

Risk Priority

Vendor Reliability• Have transitional backup vendors in place for

each critical vendor• Create and practice vendor contingency plan• Increase awareness of vendors’ reliability

• Perform quarterly financial reviews• Background checks on vendors (SOC-II)• Annual Debrief with Vendor

Management

Failure Time Prevention• Implement backup power system• Implement Automatic Transfer Switch (ATS) to

reduce failover time

Recommendations

13


Technological• Less than 25% of online banking operations can be

performed with failed servers• More than 60% of sensitive information would be

compromised in the event of a breach to the database• Allowing remote access for online banking may open

doors to potential risks Financial• Binghamton Bank would face greater than $200,000 in

fines in the event of non-compliance with regulations

Inherent Risk

Technological• No multi-tier authentication in order to gain

access to online banking remotely• Weak prevention for unauthorized access to

network• No encryption of sensitive information


14

Online Banking Operational Financial Technological ExternalInherent Risk 48 41 66 49Control Strength 30 10 24 20


2. Online Banking Remote Access Security

• Reputational Loss• Decrease in accountability to customers if

servers were to fail• Loss of sensitive information will result in

non-compliance with GLBA• Monetary Loss

• Each violation of GLBA can cause fines up to $100,000

• Safety of customers’ personal information • Hackers could disclose or utilize private

customer information

Risk Priority

Remote Access Safeguards• Require virtual machines for employee

remote access• Enable remote wipe for devices• Require 2-step authentication for employee

remote access• Include SSL certificates to encrypt data for all

subdomains • Require employees to access server

information through a Virtual Private Network (VPN)

Unauthorized Network Access• Allow pre-authorized MAC addresses• Monitoring and logging system• Separate networks by critical information

Recommendations

15

2. Online Banking Remote Access Security

Technological• 10%–30% of critical infrastructures’ software are not

up to date• Less than 25% of operations can be performed with

failed servers• More than 60% of sensitive information would be

compromised if databases were breached• Allowing remote access to company systems can open

doors to potential risksFinancial• In the event of non-compliance with regulations,

Binghamton Bank could face greater than $200,000

Inherent Risk

Technological• Binghamton Bank only tests contingency plan every 2

– 5 years• Tests employees’ preparedness for online threats less

than once a year• Servers do not encrypt sensitive informationFinancial• IT employee operations not aligned with financial

goals


16

DR/Servers Operational Financial Technological ExternalInherent Risk 59 43 67 44Control Strength 25 15 20 18



• Monetary Loss• Each violation of GLBA can cause

Binghamton Bank to be fined up to $100,000

• Excess or unnecessary activities are performed by the IT department

• Failures decrease reliability• Weak ability to adapt to unanticipated events

Risk Priority

• COBIT governance framework would familiarize IT employees with business standards and goals

• Secured Socket Layer (SSL) certificates establishes a link between the server and a client

• 256 bit AES encryption in transit and while at rest

• Test employees for phishing schemes monthly• Test contingency plan annually • Upgrade to Windows Server 2012 R2

• 1,000 servers ~ $900,000• 2,500 servers ~ $2.0 million• 5,000 servers ~ $3.7 million• 7,000 servers ~ $4.9 million

Recommendations

17


Risks• Reliant numerous critical vendors

to operate ATM’s

• Lacking emergency plan for failed vendors

• Alternative power source is unavailable

Recommendations• Increase vendor reliability

awareness

• Implement Automatic Transfer Switch (ATS)

• Contract transitional vendors


Risks• No encryption of sensitive

information

• Contingency plan not tested frequently

• Servers are not up to date

Recommendations• Upgrade servers to Windows

Server 2012 R2

• Utilize COBIT

• Enable SSL certificates

• Encrypt sensitive information

• Test contingency plan


Risks• Weak preventions for network

access

• Sensitive information not encrypted

• Weak authentication for account access

Recommendations• Acquire SSL certificates

• Require remote access through Virtual Machines

• Enable Remote Wipe on employee devices

• Prevent unauthorized network access

2. Online Banking Remote Security

18

Infrastructure Summary



Executive Summary

19

Aegis Analysis


Bank

Application Risk Analysis

20

Operational• Stores sensitive client data that must be

protected at highest level to guard against hacking threats and data leaks

Technological • Failure of this application would lead to the

improper functioning of other applications

Inherent RiskOperational

• Employees lack proper training to use the application securely

Technological• No levels of authorization• No scheduled dates for application upgrades

and maintenance


BODPS Operational Financial Technological ExternalInherent Risk 84 15 88 75Control Strength 38 44 20 41


Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100

Note

1. BODPS (Back Office Data Processing System)Description BODPS processes information from FIN and sends this data to iReport to create

financial documents

21

• Poor internal login authorization security• Potential loss of sensitive client data• Sends data to iReport to create financial

documents• Poor security may lead to inaccurate

data, thus publishing faulty financial statements

• Violation of SOX and GLBA are possible (jail time and fines can occur)

Risk Priority

• Implement a two level authorization process for employees to address poor security

• Level 1: Personalized employee password

• Level 2: Enter security token code• Example: Vendor Symantec for

application security• $38.18 per token annually

• Schedule upgrades during low traffic times• Using statistical analytics to locate the

slowest hours of operation• Implement mandatory training courses as

part of a control objective• Raise awareness of social

engineering threats• First steps to comply with COBIT

Recommendations

1. BODPS (Back Office Data Processing System)

22

Operational• Web based application that incorporates

sensitive information of employees and customers

Technological• Vulnerable to online hacking• Excessive traffic


• Backup system does not demonstrate full functionality

• Internal monitoring system needs to be updated

• Insecure website does not adequately protect customer data

Technological• No levels of authorization• No systems are in place to handle increasing

traffic


2. NorthGo

NorthGo Operational Financial Technological ExternalInherent Risk 84 42 56 15Control Strength 56 15 20 40


Description NorthGo is an online asset management application

23

• Lack of login security and vulnerable to hacking

• Nothing in place to mitigate failure from application overload

• Failure can lead to security vulnerability and loss of customer confidence

• Security threats can lead to the loss of customer information

• Violation of GLBA is possible (up to $100,000 per each violation)

• Reputational harm• Insufficient internal monitoring system to

alert bank of potential malfunctions

Risk Priority

• Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token

• Upgrade for increasing traffic• Apply backup system; Example:

Simpana• Implement application monitoring system• Example: DynaTrace

• $177/JVM instance for a three year subscription

• Provides alerts of potential risks ahead of time

• Schedule upgrades for low traffic times• Utilize ISO 27001,27002 to help begin the

process of an Information Security Management System(ISMS)

Recommendations

2. NorthGo

24

Operational• FIN is the most critical application to

business functions• Integrates with all applications making it a

big threat if it were to fail• Binghamton Bank is susceptible to

application failures during software upgrades


• There is no manual process to fall back on if application were to fail

• Insufficient internal monitoring system to alert employees of application failure

• No periodic compliance checks to make sure new standards and regulations are being met


3. FIN (Central Financial Transaction Application)

FIN Operational Financial Technological ExternalInherent Risk 100 100 100 15Control Strength 69 87 89 9


Description FIN is the central financial application of Binghamton Bank

25

• FIN malfunction• Lack of a fully functioning backup

system• Functions cannot be completed ad-

hoc• Critical bank functions can be halted

by FIN failure• Short Recovery Time Objective (RTO)

• Bottom-line is affected almost immediately

• Quick recovery crucial to prevent financial loss

Risk Priority

• Implement software for fully functional backup system; Example: CommVault Simpana

• Allows physical and virtual backups• Include a failure recovery system • Web based and dashboard reporting

features• Live restore, highly scalable, unified

architecture – single console for DB admins

• $1270 per VM/$1420 per TB of data• Train employees in order to establish

best practices in using this software• Schedule backups and upgrades during

low traffic times

Recommendations

3. FIN (Central Financial Transaction Application)

Risks• Vulnerable to hacking• Social engineering can

lead to compromise of bank’s data

Recommendations• Implement security tokens

for BODPS and NorthGo• Example: Symantec

1. Insufficient Login Authorization Security

Risks• System overload• Susceptible to crashes• Loss of sensitive client

data• Functions cannot be

completed ad-hoc effectively

• Critical bank functions can be halted by FIN failure

Recommendations• Implement backup system

for NorthGo and FIN• Example: CommVault

Simpana

3. Lack of Backup System

Risks• Cannot foresee problems

ahead of time and prepare for them

Recommendations• Implement application

monitoring system for NorthGo

• Example: DynaTrace

2. Insufficient Internal Monitoring System

26

Top Application Risks



Executive Summary

27

Aegis Analysis


Bank

Summary

Infrastructure

Recommendations• Enable transitional vendors• Vendor reliability procedures• Automatic Transfer Switch• Contingency plan tests

Recommendations• SSL certificates• Virtual machines• Remote wipe• Pre-determined MAC

addresses

ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security

Recommendations• Upgrade to Windows 2012 R2• Familiarize employees with

COBIT• SSL certificates• Data encryption• Test contingency plan

Application

Recommendations• Implement security tokens• Provide application and

regulation training program for employees

• Establish best practices with COBIT

Recommendations• Implement internal monitoring

system• Implement a robust backup

system• Implement security tokens• Establish an ISMS with ISO

27001/27002

BODPS NorthGo FIN

28

Recommendations• Implement a more robust

backup system• Set up a failure recovery plan• Internal monitoring system to

tell when FIN is going to fail

Recommendations Summary

Questions?Thank you

29

Symantec:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf• Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices

both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc.• External

• Any associated risk due to an uncontrollable occurrence outside of the company

30

Appendix A

Simpana:http://www.commvault.com/simpana-software• Industry leading backup and recovery• Backup success rate of 95 percent• Maximizes utilization of storage and infrastructure• Powerful scalability• Broad flexibility• Simple and comprehensive management• Automated protection of virtual machines• Acceleration and simplification of disaster recovery using “virtualize me”• Disaster recovery cost reductions using Simpana Replication• Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process

to• need for third-party reporting tools eliminated because it is managed from a single console• allows for workflow automation of tasks that would otherwise be repetitive or complex• self-service access to information, which allows for maximized productivity• accounts for all data and reduces risk in a single, enterprise wide search• One-Click, Enterprise-Wide Legal Hold• 1270 per socket• 4.50 per user per month• 30 per mailbox• 1420 per tb

31

Appendix B

DynaTrace:http://www.dynatrace.com/en/index.html• No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and

application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to:

• Proactively spot and solve application performance issues before users are impacted.• smart and adaptive alerts to better adjust in future situations• code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application• increases customer satisfaction by delivering visibility, context, insight, and adaptability• Speed new applications and enhancements to market with DevOps functionality.• Pinpoint root-causes and optimize critical applications.• always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance

protection

32

Appendix C

ISO standards: ISO 27001, 27002• ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for

documentation, internal audits, continual improvement, and corrective and preventive action.• ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an

information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

• ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification.

• ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001.

SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply.• Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily

devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact.

33

Appendix D

COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to

business requirements• Process descriptions: A reference process model and common language for everyone in an organization. The processes

map to responsibility areas of plan, build, run and monitor.• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective

control of each IT process.• Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate

interrelationship with other processes• Maturity models: Assess maturity and capability per process and helps to address gaps.• The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original

CMM scale with the addition of an extra level (0) as shown below:• Level 0: Non-existent• Level 1: Initial/ad hoc• Level 2: Repeatable but Intuitive• Level 3: Defined Process• Level 4: Managed and Measurable• Level 5: Optimized

34

Appendix E

GLBA:• The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their

operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.

• The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

NPI:• any information an individual gives you to get a financial product or service (for example, name, address, income, Social

Security number, or other information on an application);• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for

example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or

• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

Fines for GLBA:• fines up to 100,000 for each violation• specific individuals fined up to 10,000 for each violation• criminal penalties of up to 5 years in prison

35

Appendix F

Binghamton Bank Risk Analysis

Documents

Transcript of Binghamton Bank Risk Analysis