IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS).
-
Upload
christian-boyes -
Category
Documents
-
view
225 -
download
3
Transcript of IS SECURITY PERSPECTIVES FROM THE BANKING INDUSTRY AGUMA MPAIRWE CISA,CIA,FCCA,B.A(HONS).
DEFINITIONS INFORMATION SECURITY - ‘THE PROCESS
BY WHICH AN ORGANISATION PROTECTS AND SECURES ITS SYSTEMS, MEDIA AND FACILITIES THAT PROCESS AND MAINTAIN INFORMATION VITAL TO ITS OPERATIONS’ – FFIEC
BANKING – ‘THE BUSINESS ACTIVITY OF ACCEPTING AND SAFEGUARDING THE MONEY OWNED BY OTHER INDIVIDUALS AND ENTITIES THEN LENDING OUT THIS MONEY IN ORDER TO EARN A PROFIT’ - INVESTORWORDS
IT SECURITY AND AUDIT BEST PRACTICES - BANKS FEDERAL FINANCIAL INSTITUTIONS
EXAMINATIONS COUNCIL (FFIEC). FFIEC IT EXAMINATION BOOKLETS FFIEC – US BASED ORGANISATION THAT
BRINGS TOGETHER ALL REGULATORS OF THE US FINANCIAL SYSTEM
BANKING ACTIVITIES - GENERAL RECEIPT OF DEPOSITS (CASH,CHEQUE OR ELECTRONIC) SAFEGUARDING OF DEPOSITS LENDING OF DEPOSITS TO OTHER PARTIES INVESTMENT AND TREASURY ACTIVITIES – PLACEMENT OF
FUNDS, FOREX TRADING, DERIVATIVES TRADING AVAILING FUNDS TO THOSE THAT WISH TO WITHDRAW THEM GENERAL MANAGEMENT, ACCOUNTING AND ADMINISTRATION ALL THE ABOVE WILL INVOLVE THE USE OF SOME FORM OF IT
SYSTEM OR OTHER ALL THE PROCESSES ABOVE PRESENT RISKS THAT CAN BE
EXPLOITED FOR PURPOSES OF FRAUD IT SECURITY IS PARAMOUNT
BANKING ACTIVITIES BANKS IN THE ‘TRUST’ BUSINESS LEGAL, PROFESSIONAL AND ETHICAL OBLIGATION TO
KEEP CUSTOMER INFORMATION AND AFFAIRS CONFIDENTIAL –
‘A FINANCIAL INSTITUTION’S EARNINGS, AND CAPITAL CAN BE ADVERSELY AFFECTED IF INFORMATION BECOMES KNOWN TO UNAUTHORISED PARTIES, IS ALTERED, OR IS NOT AVAILABLE WHEN IT IS NEEDED’ – FFIEC
ADVERSE PUBLICITY CAN LEAD TO REPUTATIONAL RISK AND IN THE WORST CASE A RUN ON A BANK.
THE ‘C.I.A’ - CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION PARAMOUNT
IT SECURITY OBJECTIVES CONFIDENTIALITY INTEGRITY AVAILABILITY ACCOUNTABILITY ASSURANCE NOTE - ACCOUNTABILITY AND
INTEGRITY REPRESENT ‘NON - REPUDIATION’ - FFIEC
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA IN THE EARLY 2000’s AND BEFORE KEY FRAUDS WERE CHEQUE FRAUD, FORGED, ALTERED,
COUNTERFEIT. DEPOSIT SLIP FRAUD TYPICAL FRAUDSTER – MALE, 35 YEAR
OLD, LIMITED EDUCATION.
CHANGING BANK FRAUD AND FRAUSTER PROFILE - UGANDA MID- 2005 TO DATE ELECTRONIC FRAUD ATM FRAUD IN HOUSE BANK FRAUD – BY BANK EMPLOYEES
EITHER ALONE OR IN COLLUSION WITH OUTSIDERS
TYPICAL FRAUDSTER – MALE OR FEMALE, BANK EMPLOYEE, TRUSTED INSIDER, EDUCATED, UNIVERSITY GRADUATE, IT LITERATE (NOT NECESSARILY EXPERT!),
ONLINE FRAUD - IMPLICATIONS 71% MORE CAUTIOUS WHEN SHOPPING
ONLINE 67% MORE ATTENTIVE WHEN PROVIDING
FINANCIAL AND PERSONAL INFORMATION TO WEBSITES
28% ABANDON A PURCHANSE IF RE-DIRECTED TO ANOTHER SITE TO PROVIDE PAYMENT INFORMATION
15% STOPPED SHOPPING ALTOGETHER AS A RESULT OF ONLINE FRAUD CONCERNS –
USA SURVEY
INFORMATION WEBSITES POTENTIAL LIABILITY AND CONSUMER VIOLATIONS FOR
INACCURATE OR INCOMPLETE INFORMATION ABOUT PRODUCTS, SERVICES, AND PRICING PRESENTED ON THE WEBSITE;
POTENTIAL ACCESS TO CONFIDENTIAL FINANCIAL INSTITUTION OR CUSTOMER INFORMATION IF THE WEBSITE IS NOT PROPERLY ISOLATED FROM THE FINANCIAL INSTITUTION'S INTERNAL NETWORK;
POTENTIAL LIABILITY FOR SPREADING VIRUSES AND OTHER MALICIOUS CODE TO COMPUTERS COMMUNICATING WITH THE INSTITUTION'S WEBSITE; AND
NEGATIVE PUBLIC PERCEPTION IF THE INSTITUTION'S ON-LINE SERVICES ARE DISRUPTED OR IF ITS WEBSITE IS DEFACED OR OTHERWISE PRESENTS INAPPROPRIATE OR OFFENSIVE MATERIAL. -FFIEC
TRANSACTIONAL WEBSITES SECURITY CONTROLS FOR SAFEGUARDING
CUSTOMER INFORMATION; AUTHENTICATION PROCESSES -VERIFY THE
IDENTITY OF NEW CUSTOMERS AND AUTHENTICATE EXISTING CUSTOMERS WHO ACCESS E-BANKING SERVICES;
LIABILITY FOR UNAUTHORIZED TRANSACTIONS; LOSSES FROM FRAUD IF THE INSTITUTION FAILS TO
VERIFY THE IDENTITY OF INDIVIDUALS OR BUSINESSES APPLYING FOR NEW ACCOUNTS OR CREDIT ON-LINE - FFIEC
.RETAIL SERVICES WHOLESALE SERVICES
ACCOUNT MANAGEMENT ACCOUNT MANAGEMENT
BILL PAYMENT AND PRESENTMENT
CASH MANAGEMENT
NEW ACCOUNT OPENING SMALL BUSINESS LOAN APPLICATIONS, APPROVALS, OR
ADVANCESCONSUMER WIRE
TRANSFERS
INVESTMENT/BROKERAGE SERVICES
COMMERCIAL WIRE TRANSFERS
LOAN APPLICATION AND APPROVAL
BUSINESS-TO-BUSINESS PAYMENTS
ACCOUNT AGGREGATIONEMPLOYEE BENEFITS/PENSION
ADMINISTRATION
TRANSACTIONAL WEBSITES POSSIBLE VIOLATIONS OF LAWS OR
REGULATIONS PERTAINING TO CONSUMER PRIVACY, ANTI-MONEY LAUNDERING, ANTI-TERRORISM, OR THE CONTENT, TIMING, OR DELIVERY OF REQUIRED CONSUMER DISCLOSURES; AND
NEGATIVE PUBLIC PERCEPTION, CUSTOMER DISSATISFACTION, AND POTENTIAL LIABILITY RESULTING FROM FAILURE TO PROCESS THIRD-PARTY PAYMENTS AS DIRECTED OR WITHIN SPECIFIED TIME FRAMES, LACK OF AVAILABILITY OF ON-LINE SERVICES, OR UNAUTHORIZED ACCESS TO CONFIDENTIAL CUSTOMER INFORMATION DURING TRANSMISSION OR STORAGE. - FFIEC
ATM/CARD- FRAUD WHO PICKS UP THE COST IF YOUR CARD
IS MISUSED, YOU OR YOUR BANK? SOUTH AFRICA - TOTAL VALUE OF
ONLINE TRANSACTIONS – USD $285 MILLION
SOUTH AFRICA - 2009 TOTAL LOSSES TO BANKING INDUSTRY DUE TO LOST AND STOLEN CARDS – USD 13MILLION – PERSONAL FINANCE
ATM/DEBIT/CREDIT CARD – RISKS CARD INFORMATION HELD IN MAGNETIC STRIPE
INCLUDING PRIMARY ACCOUNT NUMBER, EXPIRY DATE,
CARD CAN BE CLONED, IF DETAILS ON MAGNETIC STRIPE CAN BE COPIED USING SKIMMING DEVICES
CARD CAN BE STOLEN/LOST USED FOR ‘CARDHOLDER NOT PRESENT’
TRANSACTIONS – OVER PHONE OR ONLINE PIN CAN BE OBTAINED USING HIDDEN
CAMERAS IN ATM LOCATION OR CCTV CAMERAS IN VIEW OF THE KEYPAD!
CARD SKIMMING INVOLVES THE USE OF DEVICES THAT READ CARD
DETAILS CONTAINED IN THE MAGNETIC STRIP OF THE CARD
CAB BE PLACED IN THE ATM CARD SLOT OR CAN BE HAND HELD (POCKET) RESTAURANTS HIGH RISK! BEGAN TO OBSERVE COMPLAINTS IN UGANDA DISCUSSION AT BANKERS ASSOSCIATION FRAUD
AND FORGERIES SUB-COMMITTEE CASES OF FRAUD REPORTED BY MEMBER BANKS CUSTOMERS USUALLY HAD TRAVELLED ABROAD
AT SOME POINT IN TIME SOUTH AFRICA – MENTIONED AS A DESINATION
VISITED IN SOME CASES
CARD SKIMMING ABSA 177 ARRESTS, 26 SKIMMING
DEVICES CAPTURED IN 2011 - PERSONAL FINANCE
COST TO THE US - $60 MILLION PER YEAR! – CSO ONLINE
ATM RISK MITIGANTS CHIP AND PIN BASED CARDS. AWARENESS TRAINING FOR CUSTOMERS!! PHYSICAL SECURITY CAUTION AT ATM SITES – WATCH OUT FOR
CAMERA’S, SKIMMING DEVICES SHIELD ENTRY OF PIN AT ATM WITH
HAND/WALLET REGULAR CHECKING OF CARD BALANCES MERCHANT TRAINING
INTERNAL ACCOUNT TRANSFERS INCRESINGLY COMMON FRAUD IN INDUSTRY INVOLVES UNAUTHORISED ‘CREATION’ OF
DEPOSITS DEBIT ‘OVERCROWDED’ ACCOUNT WITH
SEVERAL ITEMS DIFFICULT TO TRACE E.G SUSPENSE ACCOUNT
CREDIT IS MADE TO CUSTOMER ACCOUNT FUNDS ARE WITHDRAWN!
POSSIBLE SOLUTIONS COMBINATION OF ROLE BASED ACCESS AND
LEAST PRIVILEDGE RESTRICTIONS CAN BE ENFORCED
RESTRICT TELLER OR OPERATIONS STAFF ABILITY TO POST TRANSACTIONS TO ADMINISTRATIVE ACCOUNTS E.G FIXED ASSET ACCCOUNTS
RESTRIC FINANCE DEPARTMENT STAFF ABILITY TO POST TRANSACTIONS DIRECTLY TO CUSTOMER ACCOUNTS
G.L AUDIT REVIEW –PERIODIC CLEAR TIMELINES FOR CLEARING OFF ITEMS
IN SUSPENSE, TRANSIT AND CLEARING ACCOUNTS
IT PROJECT MANAGEMENT RISKS INADEQUATE SECURITY FEATURES ENFORCED
DURING IMPLEMENTATION OF IT APPLICATION SYSTEMS
OBSERVED IN BANKING INDUSTRY IN THE PAST MUST PROVIDE FOR: GENERAL ACCESS CONTROLS IDENTIFICATION AND AUTHENTICATION CONTROLS AUDIT TRAIL COMMUNICATION CONTROLS – KELLY KIM 2008
DATA MIGRATION CONTROLS – IMPORTANT TAKE ACCOUNT OF FACT THAT BANK SYSTEMS MAY
NEED TO BE ONLINE 24/7/365
PROJECT MANAGEMENT
PROJECT MANAGEMENT – BASELINE CONTROLS IMPLEMENTED IS AUDIT INVOLVEMENT POST IMPLEMENTATION REVIEW REGULATORY CERTIFICATION PRE -
IMPLEMENTATION
TREASURY HIGH RISK AREA BANK IS INVESTING OR TRADING MONEY MARKET PRODUCTS FOREIGN CURRENCY (FX) DERIVATIVES TRANSACTION SIZES MAY BE VERY LARGE POTENTIAL FOR PROFIT/LOSSES MAY BE
VERY LARGE DEPENDING ON MARKET CONDITIONS
TREASURY RISK APPROVAL TO COMMIT THE BANK GIVEN TO
TRADERS BEFORE TRANSACTION THROUGH THE USE OF VARIOUS LIMITS
MONITORING OF COMPLIANCE WITH LIMITS IS CRITICAL TO RISK MANAGEMENT IN TRASURY
SEGREGATION OF DUTIES IS ALSO CRITICAL ( FRONT OFFICE, MIDDLE OFFICE, BACK OFFICE)
TRADERS MUST NO HAVE ACCESS TO RATE REVALUATION SYSTEMS – COULD HIDE LOSSES
TRADERS SHOULD NOT HAVE ACCESS TO CONFIRMATION AND SETTLEMENT SYSTEMS – COULD HIDE TRADES AND LOSSES
IT SECURITY DESIGN IMPORTANT TO DEAL WITH THESE ISSUES
TREASURY –KEY BANK LOSSES/FRAUDS 2002 TRADER JOHN RUSNACK - £485 MILLION
LOSS TO ALLIED IRISH BANK – TAMPERED WITH REUTERS RATES FEED
2008 TRADER JEROME KERVIEL – $ 7 BILLION LOSS – HAD PREVIOUSLY WORKED IN BACK OFFICE, HID TRANSACTIONS (TRADES), FALSIFIED E-MAIL, - FVTER
1995 – trader NICK LEESON – HID £865M LOSSES, BROUGHT DOWN BARINGS BANK…..INTEGRATED IT SYSTEMS COULD HAVE PREVENTED BANK COLLAPSE - COMPUTERWEEKLY
COSO –CONTROL MODEL
MONITORING
INFORMATION AND COMMUNICATION
CONTROL PROCEDURES
RISK ASSESSMENT
CONTROL ENVIRONMENT
IT GOVERNANCE ‘FINANCIAL INSTITUTIONS SHOULD
IMPLEMENT AN ONGOING SECURITY PROCESS AND INSTITUTE APPROPRIATE GOVERNANCE FOR THE SECURITY FUNCTION, ASSIGNING CLEAR AND APPROPRIATE ROLES AND RESPONSIBILITIES TO THE BOARD OF DIRECTORS, MANAGEMENT AND EMPLOYEES’ - FFIEC
IS SECURITY STRATEGY FINANCIAL INSTITUTIONS SHOULD DEVELOP A
STRATEGY THAT DEFINES CONTROL OBJECTIVES AND ESTABLISHES AN IMPLEMENTATION PLAN. THE SECURITY STRATEGY SHOULD INCLUDE
APPROPRIATE CONSIDERATION OF PREVENTION, DETECTION, AND RESPONSE MECHANISMS,
IMPLEMENTATION OF THE LEAST PERMISSIONS AND LEAST PRIVILEGES CONCEPTS,
LAYERED CONTROLS THAT ESTABLISH MULTIPLE CONTROL POINTS BETWEEN THREATS AND ORGANIZATION ASSETS, AND
POLICIES THAT GUIDE OFFICERS AND EMPLOYEES IN IMPLEMENTING THE SECURITY PROGRAM. -FFIEC
IT RISK ASSESSMENT GATHERS DATA REGARDING THE INFORMATION AND
TECHNOLOGY ASSETS OF THE ORGANIZATION, THREATS TO THOSE ASSETS, VULNERABILITIES, EXISTING SECURITY CONTROLS AND PROCESSES, AND THE CURRENT SECURITY STANDARDS AND REQUIREMENTS;
ANALYZES THE PROBABILITY AND IMPACT ASSOCIATED WITH THE KNOWN THREATS AND VULNERABILITIES TO THEIR ASSETS; AND
PRIORITIZES THE RISKS PRESENT DUE TO THREATS AND VULNERABILITIES TO DETERMINE THE APPROPRIATE LEVEL OF TRAINING, CONTROLS, AND ASSURANCE NECESSARY FOR EFFECTIVE MITIGATION. - FFIEC
IT RISK ASSESSMENT BOTH TECHNICAL AND NON-TECHNICAL
INFORMATION SHOULD BE GATHERED. TECHNICAL INFORMATION – NETWORK MAPS DETAILING INTERNAL AND
EXTERNAL CONNECTIVITY; HARDWARE AND SOFTWARE INVENTORIES; DATABASES AND FILES THAT CONTAIN CRITICAL
AND/OR CONFIDENTIAL INFORMATION; PROCESSING ARRANGEMENTS AND INTERFACES
WITH EXTERNAL ENTITIES; HARDWARE AND SOFTWARE CONFIGURATIONS; POLICIES, STANDARDS, AND PROCEDURES FOR
THE OPERATION, MAINTENANCE, UPGRADING, AND MONITORING OF TECHNICAL SYSTEMS.- FFIEC
IT RISK ASSESSMENT NON-TECHNICAL INFORMATION POLICIES, STANDARDS, AND PROCEDURES ADDRESSING
PHYSICAL SECURITY (INCLUDING FACILITIES AS WELL AS INFORMATION ASSETS THAT INCLUDE LOAN DOCUMENTATION, DEPOSIT RECORDS AND SIGNATURE CARDS, AND KEY AND ACCESS CODE LISTS),
PERSONNEL SECURITY (INCLUDING HIRING BACKGROUND CHECKS AND BEHAVIOUR MONITORING),
VENDOR CONTRACTS, PERSONNEL SECURITY TRAINING AND EXPERTISE, AND
INSURANCE COVERAGE. ADDITIONALLY, INFORMATION REGARDING CONTROL
EFFECTIVENESS SHOULD BE GATHERED. TYPICALLY, THAT INFORMATION COMES FROM SECURITY MONITORING, INCLUDING SELF-ASSESSMENTS, METRICS, AND INDEPENDENT TESTS.
FFIEC
IT SYSTEMS ASSESSMENT ‘SOME SYSTEMS AND DATA STORES
MAY NOT BE READILY APPARENT. FOR EXAMPLE, BACKUP TAPES, PORTABLE COMPUTERS, PERSONAL DIGITAL ASSISTANTS, MEDIA SUCH AS COMPACT DISKS, MICRO DRIVES, AND DISKETTES, AND MEDIA USED IN SOFTWARE DEVELOPMENT AND TESTING SHOULD BE CONSIDERED’. - FFIEC
IT THREATS AND VULNERABILITIES THREATS -EVENTS THAT COULD CAUSE HARM TO THE
CONFIDENTIALITY, INTEGRITY, OR AVAILABILITY OF INFORMATION OR INFORMATION SYSTEMS.
EXPLOITING A VULNERABILITY TO CAUSE HARM THROUGH THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.
INTERNAL (MALICIOUS OR INCOMPETENT EMPLOYEES, CONTRACTORS, SERVICE PROVIDERS, AND FORMER INSIDERS)
EXTERNAL (CRIMINALS, RECREATIONAL HACKERS, COMPETITORS, AND TERRORISTS). - FFIEC
IT THREATS AND VULNERABILITIES VULNERABILITIES - WEAKNESSES IN A SYSTEM,
OR CONTROL GAPS THAT, IF EXPLOITED, COULD RESULT IN THE UNAUTHORIZED DISCLOSURE, MISUSE, ALTERATION, OR DESTRUCTION OF INFORMATION OR INFORMATION SYSTEMS.
VULNERABILITIES ARE GENERALLY GROUPED INTO TWO TYPES: KNOWN AND EXPECTED. - FFIEC
VULNERABILITIES KNOWN VULNERABILITIES - DISCOVERED BY
TESTING OR OTHER REVIEWS OF THE ENVIRONMENT, KNOWLEDGE OF POLICY WEAKNESSES, KNOWLEDGE OF INADEQUATE IMPLEMENTATIONS, AND KNOWLEDGE OF PERSONNEL ISSUES. .
EXPECTED VULNERABILITIES - THOSE THAT CAN REASONABLY BE ANTICIPATED TO ARISE IN THE FUTURE. EXAMPLES
UNPATCHED SOFTWARE, NEW AND UNIQUE ATTACK METHODOLOGIES THAT
BYPASS CURRENT CONTROLS, EMPLOYEE AND CONTRACTOR FAILURES TO PERFORM
SECURITY DUTIES SATISFACTORILY, PERSONNEL TURNOVER - FFIEC
IT SECURITY POLICY KEY ACTIONS THAT CONTRIBUTE TO THE SUCCESS OF A SECURITY
POLICY ARE IMPLEMENTING THROUGH ORDINARY MEANS, SUCH AS SYSTEM
ADMINISTRATION PROCEDURES AND ACCEPTABLE-USE POLICIES; ENFORCING POLICY THROUGH SECURITY TOOLS AND SANCTIONS; DELINEATING THE AREAS OF RESPONSIBILITY FOR USERS,
ADMINISTRATORS, AND MANAGERS; COMMUNICATING IN A CLEAR, UNDERSTANDABLE MANNER TO ALL
CONCERNED; OBTAINING EMPLOYEE CERTIFICATION THAT THEY HAVE READ AND
UNDERSTOOD THE POLICY; PROVIDING FLEXIBILITY TO ADDRESS CHANGES IN THE ENVIRONMENT;
AND CONDUCTING ANNUALLY A REVIEW AND APPROVAL BY THE BOARD
OF DIRECTORS. - FFIEC
SECURITY DOMAINS A SECURITY DOMAIN IS A PART OF THE SYSTEM WITH
ITS OWN POLICIES AND CONTROL MECHANISMS. SECURITY DOMAINS FOR A NETWORK ARE TYPICALLY
CONSTRUCTED FROM ROUTING CONTROLS AND DIRECTORIES.
DOMAINS CONSTRUCTED FROM ROUTING CONTROLS MAY BE BOUNDED BY NETWORK PERIMETERS WITH PERIMETER CONTROLS.
THE PERIMETERS SEPARATE WHAT IS NOT TRUSTED FROM WHAT MAY BE TRUSTWORTHY. THE PERIMETERS SERVE AS WELL-DEFINED TRANSITION POINTS BETWEEN TRUST AREAS WHERE POLICY ENFORCEMENT AND MONITORING TAKES PLACE.
AN EXAMPLE OF SUCH A DOMAIN IS A DEMILITARIZED ZONE (DMZ), BOUNDED BY A PERIMETER THAT CONTROLS ACCESS FROM OUTSIDE AND INSIDE THE INSTITUTION.
DOMAINS CONSTRUCTED FROM DIRECTORIES MAY LIMIT ACCESS TO NETWORK RESOURCES AND APPLICATIONS BASED ON ROLE OR FUNCTION. - FFIEC
DEFENSE IN DEPTH FINANCIAL INSTITUTIONS SHOULD DESIGN MULTIPLE LAYERS OF SECURITY
CONTROLS ESTABLISH SEVERAL LINES OF DEFENSE BETWEEN THE ATTACKER AND THE
ASSET BEING ATTACKED. AN INTERNET SECURITY - A PACKET FILTERING ROUTER WITH STRICT ACCESS
CONTROL RULES, IN FRONT OF AN APPLICATION LEVEL FIREWALL, IN FRONT OF WEB SERVERS, IN FRONT OF A TRANSACTIONAL SERVER, IN FRONT OF A DATABASE SERVER, WITH INTRUSION DETECTION SYSTEMS LOCATED AT
VARIOUS POINTS BETWEEN THE SERVERS AND ON CERTAIN HOSTS. THE LAYERS SHOULD BE AT MULTIPLE CONTROL POINTS THROUGHOUT THE
COMMUNICATION AND TRANSACTIONAL FLOW AND SHOULD INCLUDE BOTH SYSTEMS AND MANUAL PROCESSES. TO SUCCESSFULLY ATTACK AN ASSET, EACH LAYER MUST BE PENETRATED. WITH EACH PENETRATION, THE PROBABILITY OF DETECTING THE ATTACKER INCREASES. - FFIEC
NETWORK SECURITY FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO
THEIR COMPUTER NETWORKS THROUGH MULTIPLE LAYERS OF ACCESS CONTROLS TO PROTECT AGAINST UNAUTHORIZED ACCESS. INSTITUTIONS SHOULD
GROUP NETWORK SERVERS, APPLICATIONS, DATA, AND USERS INTO SECURITY DOMAINS (E.G., UNTRUSTED EXTERNAL NETWORKS, EXTERNAL SERVICE PROVIDERS, OR VARIOUS INTERNAL USER SYSTEMS);
ESTABLISH APPROPRIATE ACCESS REQUIREMENTS WITHIN AND BETWEEN EACH SECURITY DOMAIN;
IMPLEMENT APPROPRIATE TECHNOLOGICAL CONTROLS TO MEET THOSE ACCESS REQUIREMENTS CONSISTENTLY; AND
MONITOR CROSS-DOMAIN ACCESS FOR SECURITY POLICY VIOLATIONS AND ANOMALOUS ACTIVITY. -
FFIEC
OPERATING SYSTEM SECURITY FINANCIAL INSTITUTIONS SHOULD SECURE ACCESS TO
THE OPERATING SYSTEMS OF ALL SYSTEM COMPONENTS BY
SECURING ACCESS TO SYSTEM UTILITIES, RESTRICTING AND MONITORING PRIVILEGED ACCESS, LOGGING AND MONITORING USER OR PROGRAM
ACCESS TO SENSITIVE RESOURCES AND ALERTING ON SECURITY EVENTS,
UPDATING THE OPERATING SYSTEMS WITH SECURITY PATCHES, AND
SECURING THE DEVICES THAT CAN ACCESS THE OPERATING SYSTEM THROUGH PHYSICAL AND LOGICAL MEANS. -FFIEC
APPLICATION SECURITY FINANCIAL INSTITUTIONS SHOULD CONTROL
ACCESS TO APPLICATIONS BY USING AUTHENTICATION AND AUTHORIZATION
CONTROLS APPROPRIATELY ROBUST FOR THE RISK OF THE APPLICATION,
MONITORING ACCESS RIGHTS TO ENSURE THEY ARE THE MINIMUM REQUIRED FOR THE USER'S CURRENT BUSINESS NEEDS,
USING TIME-OF-DAY LIMITATIONS ON ACCESS AS APPROPRIATE,
LOGGING ACCESS AND SECURITY EVENTS, AND
USING SOFTWARE THAT ENABLES RAPID ANALYSIS OF USER ACTIVITIES. - FFIEC
REMOTE ACCESS -CONTROLS FINANCIAL INSTITUTIONS SHOULD SECURE REMOTE
ACCESS TO AND FROM THEIR SYSTEMS BY DISABLING REMOTE COMMUNICATIONS IF NO BUSINESS
NEED EXISTS, TIGHTLY CONTROLLING ACCESS THROUGH MANAGEMENT
APPROVALS AND SUBSEQUENT AUDITS, IMPLEMENTING ROBUST CONTROLS OVER
CONFIGURATIONS AT BOTH ENDS OF THE REMOTE CONNECTION TO PREVENT POTENTIAL MALICIOUS USE,
LOGGING AND MONITORING ALL REMOTE ACCESS COMMUNICATIONS,
SECURING REMOTE ACCESS DEVICES, AND USING STRONG AUTHENTICATION AND ENCRYPTION TO
SECURE COMMUNICATIONS - FFIEC
PHYSICAL ACCESS - CONTROLS FINANCIAL INSTITUTIONS SHOULD DEFINE
PHYSICAL SECURITY ZONES AND IMPLEMENT APPROPRIATE PREVENTATIVE AND DETECTIVE CONTROLS IN EACH ZONE TO PROTECT AGAINST THE RISKS OF
PHYSICAL PENETRATION BY MALICIOUS OR UNAUTHORIZED PEOPLE,
DAMAGE FROM ENVIRONMENTAL CONTAMINANTS, AND
ELECTRONIC PENETRATION THROUGH ACTIVE OR PASSIVE ELECTRONIC EMISSIONS. - FFIEC
ENCRYPTION CONTROLS FINANCIAL INSTITUTIONS SHOULD EMPLOY
ENCRYPTION TO MITIGATE THE RISK OF DISCLOSURE OR ALTERATION OF SENSITIVE INFORMATION IN STORAGE AND TRANSIT.
ENCRYPTION IMPLEMENTATIONS SHOULD INCLUDE ENCRYPTION STRENGTH SUFFICIENT TO PROTECT THE INFORMATION FROM DISCLOSURE UNTIL SUCH TIME AS DISCLOSURE POSES NO MATERIAL RISK,
EFFECTIVE KEY MANAGEMENT PRACTICES, ROBUST RELIABILITY, AND APPROPRIATE PROTECTION OF THE ENCRYPTED
COMMUNICATION'S ENDPOINTS - FFIEC
ENCRYPTION KEY MANAGEMENT GENERATING KEYS FOR DIFFERENT CRYPTOGRAPHIC SYSTEMS AND
DIFFERENT APPLICATIONS; GENERATING AND OBTAINING PUBLIC KEYS; DISTRIBUTING KEYS TO INTENDED USERS, INCLUDING HOW KEYS SHOULD
BE ACTIVATED WHEN RECEIVED; STORING KEYS, INCLUDING HOW AUTHORIZED USERS OBTAIN ACCESS TO
KEYS; CHANGING OR UPDATING KEYS, INCLUDING RULES ON WHEN KEYS SHOULD
BE CHANGED AND HOW THIS WILL BE DONE; DEALING WITH COMPROMISED KEYS; REVOKING KEYS AND SPECIFYING HOW KEYS SHOULD BE WITHDRAWN OR
DEACTIVATED; RECOVERING KEYS THAT ARE LOST OR CORRUPTED AS PART OF BUSINESS
CONTINUITY MANAGEMENT; ARCHIVING KEYS; DESTROYING KEYS -FFIEC
MONITORING MONITORING NETWORK AND HOST ACTIVITY TO IDENTIFY POLICY
VIOLATIONS AND ANOMALOUS BEHAVIOR; MONITORING HOST AND NETWORK CONDITION TO IDENTIFY
UNAUTHORIZED CONFIGURATION AND OTHER CONDITIONS WHICH INCREASE THE RISK OF INTRUSION OR OTHER SECURITY EVENTS;
ANALYZING THE RESULTS OF MONITORING TO ACCURATELY AND QUICKLY IDENTIFY, CLASSIFY, ESCALATE, REPORT, AND GUIDE RESPONSES TO SECURITY EVENTS; AND
RESPONDING TO INTRUSIONS AND OTHER SECURITY EVENTS AND WEAKNESSES TO APPROPRIATELY MITIGATE THE RISK TO THE INSTITUTION AND ITS CUSTOMERS, AND TO RESTORE THE INSTITUTION'S SYSTEMS.
MONITORING SHOULD, COMMENSURATE WITH THE RISK, IDENTIFY CONTROL FAILURES BEFORE A SECURITY INCIDENT OCCURS, DETECT AN INTRUSION IN SUFFICIENT TIME TO ENABLE AN EFFECTIVE AND TIMELY RESPONSE,
SUPPORT POST-EVENT FORENSICS ACTIVITIES. - FFIEC
FUTURE TRENDS/THREATS DEPEND ON TECHNOLOGY TRENDS TELECOMS AND BANKING CONVERGENCE RISKS IN MOBILE MONEY INDUSTRY CLOUD COMPUTING MOBILE COMPUTING AND WIRELESS
COMPUTING THREATS EASE OF ACCESS TO INTERNET AND TOOLS TO
COMMIT FRAUD FASTER SPEEDS FOR INTERNET ACCESS IN
EAST AFRICA GREATER OUTSOURCING? NEW IT SAVVY GENERATION?
SOLUTIONS IT AWARENESS USER AND CUSTOMER TRAINING STAFF SCREEENING ETHICAL EMPHASIS EMBEDDING STRONG CONTROL AND RISK
CULTURE IN BANKS SYSTEMS CERTIFICATION BY REGULATORS
BEFORE DEPLOYMENT STRENGHTEN IT CONTROL, SECURITY, AUDIT
PROFESSION AND TRAIN MORE PROFESSIONALS INCREASE CEO AND BOARD AWARENESS
OTHER BEST PRACTICES ISO 17799 : CODE OF PRACTIVE FOR
INFORMATION SECURITY MANAGEMENT BS 7799: SPECIFICATION FOR
INFORMATION SECURITY MANAGEMENT SYSTEMS
COBIT
REFERENCES http://ithandbook.ffiec.gov/it-booklets.aspx http://
www.securitymanagement.com/article/atm-fraud-trends-europe-006362
http://www.bizreport.com/2009/03/consumers_in_the_us_are.html#
http://www.csoonline.com/article/555863/atm-skimming-how-to-recognize-card-fraud
http://iss.gwu.edu/merlin-cgi/p/downloadFile/d/21440/n/off/other/1/name/BaselineSecurityRequirementsandControls-Techn/
http://fvter.wordpress.com/2008/01/30/kervielsociete-generale-information-security-insider-threat/
http://www.computerweekly.com/Articles/2009/10/27/238308/Podcast-interview-Nick-Leeson-says-Integrated-IT-could-have-prevented-Barings.htm