Info Sec Awareness@Dec7th12-Final

8/13/2019 Info Sec Awareness@Dec7th12-Final

1/53

Information Security

Awareness

Information Security Group1


Awareness

Risk Department, HO


2/53


Awareness


Information

Information Systems

Protecting /Safeguarding

Malicious hackers

Employees

Outsourced Staffs Consultants, Suppliers & Customers

From



3/53


Awareness

Objective of Information Security.

Financial, Information and Reputation loss

Unfavorable Media Exposure

Fraud, Abuse & Lawsuits.

To ensure CIA of Information Systems & to avoid

Unauthorized Access & Hacking.

Salami Attack & DoS Attack

Virus / Worm Attack

Cyber Pornography

To Prevent Cyber crime

To comply with IT Act & RBI Guidelines.

Information Security Group 3

CONFIDENTIALITY

INTEGRITY

AVAILABILITY


4/53


Awareness


Implementation of Information Security.

The

InformationSecurity

responsibilitiesrests with

The Bank

The Employees

The Customers

Preparation of Information Security Policy & itsimplementation. Equip the Bank with bestinformation security practices in the Industry.Ensure CIA. Regulatory & Statutory compliance.Spreading Awareness. Security Certifications.

Employees ought to be aware, spread & follow theInformation Security Policy. Should be alert tonotice security incidents and report the same to ISG([email protected]).

Customer need to be aware of the risks associatedwith Alternate channels. Practice caution &precautions advised by the Bank.


5/53


Awareness


Information Security- Bank Posture

Information Security PolicyApproved by Board of the Bank.

Adopt the best security practices in the Banking Industry

Layer 3 Data Center and DR Site Security Devices like FireWalls, IDS/IPS, Proxy Servers, Anti-virus,

Content-filters, DMZ, 24x7 monitoring & log analysis, Anti-Phishing,Hardening, Application testing, VA / PT etc.

Obtaining security standards like ISO27001, PCI-DSSetc.

Compliance with RBI & IT-Act security directives.

Spread awareness among employees & customers.


6/53


Awareness


Where a body corporate, possessing, dealing orhandling any sensitive personal data in a computerresource which it owns/controls/operates,

is negligent in implementing and maintainingreasonable security practices and procedures,

and thereby causes wrongful loss or wrongful gainto any person,

such body corporate shall be liable to pay damagesby way of compensation to the person so affected.

IT ACT Sec 43 ACompensation for failure to protect data


7/53


Awareness

Save as otherwiseprovided in this Actor any other law for

the time being inforce, any person

including anintermediary who,

while providingservices under theterms of lawful

contract,

with the intent tocause or knowingthat he is likely to

cause wrongful loss

or wrongful gaindiscloses, withoutthe consent of the

person concerned,or in breach of alawful contract,such material to

any other person,

shall be punishedwith imprisonmentfor a term which

may extend to threeyears, or with fine

which may extendto five lakh rupees,or with both.


IT ACT Sec 72 APunishment for disclosure of information in

breach of lawful contract.


8/53


Awareness

Information Security - Incidents

2007HSBC Bank fined 3.2 million by FinancialSecurity Authority (FSA UK) for losing details of

180,000 life insurance customers.

Reason : unencrypted floppy disk lost in the post.

2010- The virus Stuxnet targeted Irans nuclear

program, closing down the automation network at

the Natanz and Fordo facilities.

Reason : Email along with the virus was sent toscientists there.



9/53


Awareness

Information Security - Incidents

Recent reports showed hackers earned $12.5 billion in 2011, mainly by passwordbreach and online frauds.

$171 millionSony

2011Sony Playstation Network suffers security breach. Up to 24 million users affectedand personal, billing and password security questions stolen. Sony expects to pay out $171million in new protection, welcome back, customer support programmes and legal cost.

$2.7 millionCitigroup

Hacked in June 2011, hackers exploited a basic online vulnerability and stole account informationfrom 200,000 clients. Because of the hacking, Citigroup said it lost $2.7 million.



10/53


Awareness

Data theft incident



11/53


Awareness

Practical aspects of Information Security

Passwords

Desktop Security

Alternate channels

Email / Internet



12/53


Awareness


Passwords

A password is a secret word or string of characters that is used

for authentication, to prove identity or gain access to a resource. It is your identity to a particular systemFinacle, Internet, e-

Mail, HR system, Desktop etc

Passwords are like bubblegum they are better when fresh

Passwords are like toothbrushes - they shouldnt be shared, andyou should get a new one regularly


13/53


Awareness


You are only secure as the weakest link in your security chain

The weakest link in the security chain - Human.

Passwords (contd)

Only two things are Infinite,

the Universe & Human

stupidity, and Iam not sureabout the former


14/53


Awareness

Weak Passwords



15/53


Awareness



16/53


Awareness


Shoulder Surfing

Bruteforce Attack

Dictionary Attack

Password Attacks

Applications limiting the no. of unsuccessful password attempts.

Be Cautious of people looking at your keyboard

Use combination of alphanumeric and special characters.


17/53


Awareness


Sharing your Passwords

Sending

personal

information over

internet

Writing your Passwords on paper or

storing on hard disk

Using weak / Repeated / blank /

default passwords

How Passwords can be compromised


18/53


Awareness


Password Policyfor employees &customers

Raisingawareness

amongemployees &customers

Password policy aspart of OShardening in servers

Employees forced tochange passwords incritical applications.

Customers forced tochange net-bankingpasswords & Virtualkeyboard on net-bankingsites.

PasswordsSteps taken by the Bank


19/53


Awareness


PasswordsHow to make them Strong ?

Examples of strongpasswords

How to choose a very

strong password? -H2C@VsP or h2cAv5p?

No Frills AccountN0Fr!11$Ac

Time is a great healerT!$@G8hr

Chor Ki Dadi MeinTinkaCkD@d1mT

Make Passwordsstrong by using acombination of -

English lower-casealphabets (a,b,c)

English upper-casealphabets (A,B,C)

Arabic numerals (1,2,3)

Special characters (! # @

% $ *)


20/53


Awareness

Passwords - Incidents


21/53


Awareness

PasswordsDos & Donts Make strong passwords by a personally designed algorithm

for generating obscure passwords.

Passwords should be simple to remember & complex to break

Have different passwords for different systems / applications

Dont write your passwords anywhere (paper,bills, PC etc) Dont disclose your password to anyone (colleagues, friends)

Dont send you password or personal information via e-mail

Dont use default passwords

Dont configure your browser to remember your passwords

Disable the Finacle login when on leave for more than 2 days

Change your passwords often

Beware of shoulder surfing


22/53


Awareness


Desktop Security


23/53


Awareness


Desktop Security

Have a boot-up & logon password & change them often.

Lock your desktop when you leave your desk for short span of time.

Don't keep your personal information or password in your PC.

Keep the important files as Password protected.

Ensure that anti-virus client is installed on your PC, and it is getting updated on a regular basis.

Never share full drive; Don't share folders/files on your PC; in case required, give user specific,read-only access; remove the sharing after use

Don't install any software, licensed or unlicensed other than those authorized by the Bank.


24/53


Awareness

Don't execute any suspicious / doubtful file attachments received through e-mail

Don't download any software / game from internet

Adhere to desktop policy of the Bank

Dont enable Remote desktop access / VNC / Net-meeting without password

Turn off your PC when you leave for the day

Restriction on use of USB / Pen drives

Dont let your computer become a Zombie

Report vulnerable computers to FMS Engineer / Help desk (39148061-64)


Desktop Security

I f i S i


25/53


Awareness


Viruses

I f ti S it


26/53


Awareness


Viruses (Contd)

Malicious software: Viruses

Malicious code that are capable of inflicting a great deal of

damage and causing extensive frustration Stealing files containing personal information

Sending emails from your account

Rendering your computer unusable

Removing files from your computer

Source : Spams, websites, compromised Floppy/CD/DVD, Pen Drive, Games, Sharing of folders

I f ti S it


27/53


Awareness

Viruses - Incidents

The Telegraph, Friday 05 October 2012

(Topic: Cyber espionnage virus Target Lebanese banks)

Virus named Gauss after an apparent reference to a German mathematician

contained in its code, the virus has infected more that 2,500 computers,

mainly in Lebanon, according to the Russian security firm Kaspersky Lab. It is designed to spy on customers of the Lebanese banks BlomBank, ByblosBank andCredit Libanais, analysis showed.

Citibank and PayPal customers have also been targeted, Kaspersky Lab

said. Unlike the viruses used by criminals to commit online banking fraud,

Gauss targets a very specific set of institutions.


I f ti S it


28/53


Awareness


Computer runs more slowly than normal

It stops responding to locks up often

It crashes and restarts every few minutes

It restarts on its own and fails to run normally

Applications on your computer dont work correctly

Disks or disk drives are inaccessible

Documents are not printed correctly

Unusual error messages pop-up

Menus and dialog boxes appear distorted

Viruses - Symptoms

I f ti S it


29/53


Awareness


Anti-virus software from TrendMicro deployed on allPCs

Suitable AV software put on all the servers

Regular virus pattern updations on PCs done centrally

AV scanning of mails at the mail gateway

Trend Micro support to deal with any virus breakout

Viruses (Steps taken by the Bank)



30/53


Awareness


Viruses (Employee Responsibility)

What you can do

Do not open attachment of suspicious e-mails

Do not share folders for writing

Use strong password if sharing is inevitable

Forward as attachment all suspicious e-mails to [email protected]

Check for the TrendMicro Anti-virus icon on the status-bar

OfficeScan client should be installed, up and running with latest virus pattern updates

Contact FMS Engineer or Shri Santan Lobo of IIL, 022-39148119,[email protected] for Anti-Virus



31/53


Awareness


USB / Pen DriveRiskVirusesUSB drives are chief mode by which the corporate PCs get infected withviruses

Malicious softwareUnauthorized software like shareware programs, softwarepranks and video clippings etc could be brought in the USB drive

Data theftDisgruntled employees can steal data

Data LossThe portability of these USB Flash Drives adds to the potential forlost data that could fall into the wrong hands

USB port / drive enabled (on request & undertaking) only on

2 PCs (of Branch Head & SOM) in each branch. 2 more PCs for ECCS purpose, if required.

PCs of all Officers of the grade DGM & above at branches

PCs of all Officers of the grade AGM & above at Head Office



32/53


Awareness


Phishing

Definition:

Phishing involvesfraudulently acquiring

sensitive information (e.g.passwords, credit card

details, mobile nos. etc) bymasquerading as a trusted

entity.

TheScenario:

The victim receives an emailthat appears to have been

sent from his bank.

The victim believes the web page to be authenticand he enters his username, password and other

information. In reality, the website is fake and thevictims information is stolen and misused.

Vishing:

phishing overvoice.



33/53


Awareness

Phishing Incidents




34/53


Awareness


Phishing Incidents

Fake URL & without https:// protocol



35/53


Awareness


Fake URL & without https:// protocol

Phishing Incidents



36/53


Awareness


Phishing Incidents

Credentials got compromised.



37/53


Awareness


Phishing Incidents



38/53


Awareness


Phishing Incidents



39/53


Awareness


Lock is missing

How to Recognize ?



40/53


Awareness

Top phishing hosting countries (Oct 2012)




41/53


Awareness


Guidelines as per RBI circular on Prevention of Phishing attacks Raising awareness ofcustomers followed.

Detection of phishing sites and take down through MSS vendor.

Flyers with Dos & Donts sent to educate / caution customers periodically.

Different login and transaction passwords mandatory.

One Time Password (OTP) / Unique Registration Number (URN)/Online Shoppingpassword(OSP) sent to mobile during Payee addition for fund transfer.

SMS alerts sent when new payee added or account debited.

Intra-day debit limit.

Transaction access if not used for 3 months is disabled .

Virtual keyboard to counter key logging software.

Multifactor authentication being evaluated.

PhishingSteps taken by the Bank



42/53

y

Awareness


Internet Banking-Incident



43/53

y

Awareness


Internet Banking Security Inactive sessions get terminated automatically Login / transaction locked on multiple unsuccessful login attempts

Separate passwords for login and transaction

OTP/URN/OSP sent to mobile during Payee addition for fund transfer

SMS / email alerts on account debit

Virtual key-pad for login

SSLhttpssecure access protocols

Password mailed separately using special printing

Password not stored in plain text.

Mandatory password change every 180 days

Limiting amount of transfers in a day



44/53

y

Awareness


Get aware of the Risks associated with netBanking transactions

Make strong passwords, keep them secret & change them often

Register your Mobile number with us and get SMS Alerts to keep track of high value card & net bankingtransactions in your account

Avoid doing net banking transactions from Cyber Cafes as they are likely to have key loggers

Use the Virtual Keypad to enter password for enhanced security

Keep your PC secure by using FW and AV software

Be aware of phishing and take adequate precautions

InetBankingCustomer Awareness



45/53

y

Awareness


Physical AttackSteal cash from vaults, vandalism

Card CloningCounterfeit card created from skimmed data

Skimming Device

ATMSecurity Threats

Keyboard OverlayFalse keypad used to record PIN

Card TrappingTrap the card in the ATM slot

Install spy camera to record PIN entry



46/53

y

Awareness

ATMSecurity Incidents




47/53

Awareness


Info. Security in ATMs

Security personnel to avert physical attack on ATM

ATM Magnetic Stripe Card

Pin Mailed Separately using special printing

Pin not stored in plain text in database

Encrypting Pin Pad

Limiting withdrawal amount in a day

Card captured on repeated input of wrong passwords

Cards and pins destroyed if undelivered for long time Camera /storage of video footage



48/53

Awareness


Spam e-Mails - Unsolicited bulk emails

Spoofing - Masquerading sender address & email header

Phishing e-Mails

Viruses

Worms

Trojans Spywares

Malwares

Malicious E-Mail Attachments

e-Mails - Risks



49/53

Awareness


e-Mail Guidelines

HR Circular No. IDBIBank/2009-10/247/HR/HR-61

on misuse of official mailfacility.

Email has become officialmode of communication and

hence be used only forBusiness purpose.

NO to exchange ofviews/comments/opinions on

unofficial issues.

NO Bulletin Board,Newsgroups.

User responsible for misuse.Password protect and not

share it with anyone.

Emails are Bank property

and can be interceptedwithout specific intimation.

All emails are archived for 7years.

Dont open spam andsuspicious mail attachments.



50/53

Awareness


Internet Access

Surfing the web islike swimming with sharks



51/53

Awareness


Internet Access (Contd)

Business purpose only

Dont share password

No to download games, freeware, shareware

All internet access are Logged and Reviewed by ISG

No to access Porn material

USB based modems prohibited

Branch Heads, SOMs and AGMs & above provided internet access on request

Recommendation of CGM / Vertical Head for grade A and B.



52/53

Awareness


Security Incident Reporting

Be Alert and report incidents

Types of Incident

Hacking Attempt Disclosure of Confidential/Sensitive Information

Hardware/IT asset Theft

Virus incident

Malfunctioning of IT equipment leading to unavailability ofinformation resources

Report Incidents to ISG ([email protected])



53/53

Awareness

53

Thank You