158
THE IMPACT OF RECONNAISSANCE IN BANKS INFORMATION SYSTEMS A CASE STUDY OF CO-OPERATIVE BANK OF KENYA CARLVIN SOLOMON EZEKIEL MASAKHALIA BBIT/MSA/08/00039 A MANAGEMENT RESEARCH PROJECT SUBMITTED IN THE PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE BACHELOR OF BUSINESS AND INFORMATION TECHNOLOGY MT KENYA UNIVERSITY APRIL 2011

Project Undergrad

Embed Size (px)

Citation preview

  1. 1. THE IMPACT OF RECONNAISSANCE IN BANKS INFORMATION SYSTEMS A CASE STUDY OF CO-OPERATIVE BANK OF KENYA CARLVIN SOLOMON EZEKIEL MASAKHALIA BBIT/MSA/08/00039 A MANAGEMENT RESEARCH PROJECT SUBMITTED IN THE PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE BACHELOR OF BUSINESS AND INFORMATION TECHNOLOGY MT KENYA UNIVERSITY APRIL 2011
  2. 2. Declaration This research project is my original work and has never been presented for a degree in any other university. Signature.........................................................................Date...................................................... CARLVIN S.E MASAKHALIA BBIT/MSA/08/00039 This project is presented for examination with the approval of the university Supervisor. Signature..........................................................................Date................................................. LYNETTE KARIMI RINGEERA ICT DEPARTMENT MOUNT KENYA UNIVERSITY ii
  3. 3. Acknowledgements Many thanks to MKU staff: the Director Mr Barasa, Lecturers and subordinate staff. Many more thanks to all my close friends I could not have made it this far without your support materially and psychologically. It has been a short three years. I love you all!! I also acknowledge God for everything he has done in my life. Without Gods blessings, wisdom, understanding and guidance throughout this course work I could not have lived to get to this point. Words are never enough to say thank you but I am really grateful. Lastly, special thanks to Ms Lynette, my Supervisor, in this project you showed me the way when I was lost and pushed me whenever I was stuck. God reward you immensely. iii
  4. 4. Abstract This project is a survey of the impact of reconnaissance in banks information systems, a case study of cooperative bank of Kenya Kenyatta avenue branch. It was conducted as a result of the increase in fraud cases in the banking industry where several banks have lost millions notably Co-op Bank (November 2010) and Family Bank (Feb 2011). Co-operative bank particularly Kenyatta Avenue was chosen for this study because the bank has previously been attacked the most recent case was at the banks headquarters (Jan 2011) where Kshs 90 million was lost. The first chapter describes the overview of the bank and the history of frauds attributed to reconnaissance attacks, statement of the problem, objective of the study, research questions, its significance, scope and limitation of the study. Chapter two describes the meaning of reconnaissance and the various ways that it can be done. It further describes the technologies used, types of attacks, threats and vulnerabilities. Chapter three explains the research methodology adapted for the study where questionnaires were distributed to collect data from both customers and staff of the bank. The fourth chapter presents and analyses the data collected using tables and graphs .Chapter five deals with the summary of the major findings in relation to the objectives of the research and the research questions. Lastly, chapter six concludes and provides recommendations of the research by giving solutions on the best ways to defend and safeguard the bank information systems against reconnaissance attacks. This includes advice to the banking industry on the impact of reconnaissance. iv
  5. 5. Dedication I dedicate this work to my Late Mother Edith P. Ogeng who taught me the value of education. You were one in a million!! v
  6. 6. List of Acronyms and Abbreviations MKU- Mount Kenya University NSE- Nairobi Stock Exchange ATM Automated Teller Machine DNS- Domain Name System FTP File Transfer Protocol IT- Information Technology IDS- Intrusion Detection Systems IIS-Internet Information Server NT- Network Technology SPSS- Statistical Package for the Social Sciences ICANN- Internet Corporation for Assigned Names and Numbers WWW- World Wide Web ID- Identification i.e-that is vi
  7. 7. TABLE OF CONTENTS PAGE Declaration ...............................................................................................................................I Acknowledgements..................................................................................................................II Abstract..................................................................................................................................III Dedication...............................................................................................................................IV List of Acronyms and Abbreviations....................................................................................V CHAPTER 1 1.1 Introduction.................................................................................................................1 1.2 Background information...............................................................................................3 1.3 Statement of the problem............................................................................................4 1.4 Objective of the Study..................................................................................................5 1.5 Significance of the Study...............................................................................................5 1.6 Limitation of the Study.................................................................................................6 1.7 Scope of the Study........................................................................................................6 CHAPTER 2 2.1 Meaning and Definition................................................................................................7 2.2 Reconnaissance Techniques..........................................................................................8 2.2.1 Low technology based technique..........................................................................8 2.2.2 Web based technique..........................................................................................10 2.2.3 Who is Database Technique................................................................................12 2.2.4 Domain Name System.........................................................................................13 vii
  8. 8. 2.3 Conceptual Framework...............................................................................................15 2.4 Gaps to be filled..........................................................................................................15 CHAPTER 3 3.1 Introduction...............................................................................................................17 3.2 Research Design.........................................................................................................17 3.3 Population and Sample Size........................................................................................17 3.4 Sample Design.............................................................................................................17 3.5 Data Collection Instruments /Tools.............................................................................18 3.6 Data Collection Procedures.........................................................................................18 3.7 Data Presentation and Analysis Techniques................................................................19 CHAPTER 4 4.1 Introduction................................................................................................................20 4.2 Staffs response............................................................................................................21 4.3 Staff Gender.................................................................................................................21 4.4 Staff Age Category......................................................................................................22 4.5 Duration Worked with the Bank (Staff)......................................................................22 4.6 Highest Academic Qualifications (Staff).....................................................................23 4.7 Electronic Banking (Staff)...........................................................................................23 4.8 Handling of Cheques (Staff).........................................................................................24 4.9 Money Transfer Services for Example Money gram and Swift Staff)........................25 4.10 Loan applications business and personal loans (Staff)...............................................26 4.11 Staff use of Credit cards.............................................................................................26 4.12 Internet Banking..........................................................................................................27 4.13 Account Transactions deposit withdrawals and enquiries...........................................28 4.14 Use of ATM and Debit cards.......................................................................................29 viii
  9. 9. 4.15 Mobile Banking Services...........................................................................................30 4.16 Aspects of Social Engineering....................................................................................32 4.17 Physical break ins.......................................................................................................33 4.18 Leaving the work station............................................................................................35 4.19 Disposal......................................................................................................................35 4.20 Forms of Enquiries......................................................................................................36 4.21 Sharing User Details....................................................................................................37 4.23 Organisations Website................................................................................................38 4.24 Disposal of Customer details.......................................................................................39 4.25 Level of Confidentiality of Customer details...............................................................40 4.26 Entrusting third party with Customer details...............................................................41 4.27 Provision of Customer details on Telephone................................................................42 4.28 Use of the internet www in providing customer information.......................................43 4.29 Procedures implemented to ensure physical security of systems/networks..................44 4.30 Training..........................................................................................................................45 4.31 Gender (Customers)......................................................................................................46 4.32 Age Category (in years), customers...............................................................................47 4.33 Number of years they had been with bank customers....................................................48 4.34 Electronic Banking (Customer response)........................................................................49 4.35 Handling of Cheques (Customer response).....................................................................50 4.36 Money Transfer Services for Example Money gram and Swift......................................51 4.37 Loan applications business and personal loans (Customer response)..............................52 4.38 use of Credit cards (Customer response)..........................................................................53 4.39 Internet Banking...............................................................................................................54 4.40 Account Transactions deposit withdrawals and enquiries...............................................55 ix
  10. 10. 4.41 Use of ATM and Debit cards........................................................................................56 4.42 Mobile Banking Services...............................................................................................57 4.43 Aspects of Social Engineering.......................................................................................58 4.44 Disposal of Customer details.........................................................................................60 4.45 Sharing of Customer details...........................................................................................62 4.46 Keeping your customer documentation.........................................................................63 4.47 Privacy...........................................................................................................................63 4.48 Loss of ATM..................................................................................................................64 4.49 Action taken after the loss of the ATM..........................................................................65 4.50 Duration before reporting...............................................................................................66 4.51 Documentation you have lost through physical break ins..............................................67 4.52Organizations website....................................................................................................68 4.53 Leaving recipients...........................................................................................................69 4.54 Records of Customer details...........................................................................................70 4.55 Disclosure of bank account details in website.................................................................71 4.56 Sharing your financial details in internet forums............................................................72 4.30 Training/Education (Customers).....................................................................................73 x
  11. 11. CHAPTER 5 5.0 Summary of the Major Findings..................................................................................75 5.1 Conclusions................................................................................................................80 5.2 Recommendations......................................................................................................81 References.......................................................................................................................84 Appendices......................................................................................................................85 Appendix 1(Staff Questionnaire).....................................................................................85 Appendix 2(Customer Questionnaire).............................................................................89 xi
  12. 12. CHAPTER 1 1.1INTRODUCTION Reconnaissance refers to the gathering information about a system before the actual attack is carried out. Reconnaissance involves an attacker taking time to conduct detailed information before attack using publicly available information. Through reconnaissance phase, computer attackers can determine how best to mount their attack for success. To effectively launch certain types of attacks, a hacker usually needs some knowledge about the network topology or hardware used. The technique that gathers this type of information is called reconnaissance. Reconnaissance on its own is, in many environments, not a threat, but the intelligence found by employing it is often used later to attack a system or network. So, the threat of reconnaissance attacks is mostly an indirect one: after the network has been scanned, this information is used subsequently for attacks. There are four common of reconnaissance techniques these are: lowtechnology reconnaissance, general Web searches, who is databases and domain Name System (DNS). Low-Technology Reconnaissance usually involves social Engineering, physical Break-In and dumpster diving. In Social Engineering, an attacker calls an employee at the target organization on the phone and deceives / fools the individual into revealing sensitive information that is the attacker pretends to be an employee, a customer or supplier. effective. Physical Break-In involves attackers with physical access to computer systems gaining access to accounts and data. They may plant malicious programs on the internal systems, giving them remote control capabilities of your systems from the outside. Dumpster Diving (Trashing) this involves going through an organizations garbage, looking for sensitive information i.e. the attacker looks for xii
  13. 13. discarded paper, floppy disks, tapes and even hard drives containing sensitive data in the process the attacker may get a complete diagram of the network architecture user IDs and passwords. In web-based reconnaissance an attacker uses a computer and Internet resources to learn about the target organization that is determine the domain names, network addresses and contact information. Techniques used are: Searching an Organizations Own Web Site. The organizations web site could have useful information on the employees contact or information with phone Who is Databases is the third technique through which reconnaissance can be done in an organization. The who is database contains a variety of data elements regarding the assignment of Internet addresses, domain names, and individual contacts. The registrar of domain names ensures that your domain name is unique, and assigns it to your organization by entering it into various databases that is including who is databases so that your machines will be accessible on the Internet using your domain name developed to allow people to look for information about domain name registration services. Reconnaissance attacks can also be carried out using the domain name system (DNS). DNS is a component of the internet which is a hierarchical database distributed around the world and stores a variety of information, such as IP addresses, domain names and mail server information. xiii
  14. 14. 1.2 BACKGROUND INFORMATION OVERVIEW OF THE ORGANISATION The Co-operative Bank of Kenya Limited ('the Bank') is incorporated in Kenya under the Company's Act and is also licensed to do the business of banking under the Banking Act. The Bank was initially registered under the Co-operative Societies Act at the point of founding in 1965. This status was retained up to and until June 27th 2008 when the Bank's Special General Meeting resolved to incorporate under the Companies Act with a view to complying with the requirements for listing on the Nairobi Stock Exchange (NSE). The Bank went public and was listed on December 22 2008. Shares previously held by the 3,805 co-operatives societies and unions were ring-fenced under Coop Holdings Co-operative Society Limited which became the strategic investor in the Bank with a 64.56% stake. The Bank runs three subsidiary companies, namely: Kingdom Securities Limited, a stock broking firm with the bank holding a controlling 60% stake, Co-op Trust Investment Services Limited, the fund management subsidiary wholly-owned by the bank, Co-operative Consultancy Services (K) Limited, the corporate finance, financial advisory and capacity- building subsidiary wholly-owned by the bank. BANK FRAUD AND RECONNAISANCE According to a daily Nation report (14th January 2011), Cooperative bank in the last quarter lost Kshs 300million as a result of fraud which is an increase from the previous year. Bank xiv
  15. 15. fraud has been common in the recent past whereby customers, institutions and the bank itself has lost millions of shillings over as a result of this. The report claims that most frauds occur as a result of attackers who are well informed of the banks processes, database and administration. This information is usually obtained using various reconnaissance techniques for example use of low technology (social engineering) and the worldwide web. Bank fraud is the use of fraudulent means to obtain money, assets, or other property owned or held by a financial institution. In several instances, bank fraud is a criminal offense and it occurs after information about various aspects has been gathered regarding the information systems; reconnaissance has been conducted. According to another Daily Nation report(6th May 2011), the most common forms of which the frauds have occurred are : stolen cheques , cheque kiting, forgery and altered cheques, accounting fraud, uninsured deposits, demand draft fraud, rogue traders, fraudulent loans, fraudulent loan applications, forged or fraudulent documents, wire fraud, bill discounting fraud, payment card fraud, stolen payment cards, duplication or skimming of card information, empty ATM envelope deposits, impersonation, prime bank fraud, the fictitious 'bank inspector, phishing and internet fraud, money laundering. This report further described that most of these scams occurred as a result of well informed attackers who had detailed knowledge about the bank confidential information raising the concern of how the information is obtained. 1.3 STATEMENT OF THE PROBLEM The study aims to survey the impact of reconnaissance in banking industry. Information systems especially in the banking industry are susceptible to reconnaissance attacks. The bank, its customers and employees have to ensure that confidential information is xv
  16. 16. safeguarded from reconnaissance attacks in order to prevent fraud through which they can lose millions of shillings. The main role of a bank is to ensure safe custody of the customers funds. In the recent past there have been several cases where customers have lost huge amounts of money from their accounts. Common cases include forgery and impersonation where attackers have full information about the client the account number, the account name, ID number, sometimes even the pin and signatures hence they are able to use the information to defraud the bank. This allows attackers to have full access of customer accounts. This research therefore uncovers reconnaissance in the banking industry. 1.4 OBJECTIVE OF THE STUDY General Objective The general objective of this study is to survey reconnaissance in banks information systems. Specific Objectives The specific objectives of this study are: a)To identify areas in the banking information systems which are affected by reconnaissance. b) To identify the ways in which reconnaissance occurs in banks c) To create awareness of reconnaissance in banks. Research Questions a)What areas in the banking information systems are affected by reconnaissance? b) What are the ways in which reconnaissance can be carried out in banks? c) Are people (staff, customers, management) aware of reconnaissance? 1.5 SIGNIFICANCE OF THE STUDY To the organisation/bank xvi
  17. 17. This research is very important as it reveals areas of the bank which are affected by reconnaissance in order for the bank to improve security in the information systems. The research also exposes ways in which the reconnaissance occurs. To the employees This research will raise awareness of reconnaissance to the staff and management this help to avoid future fraud cases. 1.6 LIMITATIONS OF THE STUDY During the research, the following challenges were anticipated: Accessibility of information Banks have strict rules and regulations for accessing information. Accessing information in most cases requires authorization from the section heads who at times fear and are careful with sensitive information. It is therefore difficult to get some information Time The bank staff Kenyatta Avenue branch are always busy and have specific duties assigned to them. They may not have enough time for me. 1.7 SCOPE OF THE STUDY The study is limited to cooperative bank and is based at Kenyatta Avenue branch near Makupa Police Station. It involves interviews whereby various customers of the bank and that branch will provide information of how they confide private information about their bank accounts. The interviews will provide vital details on the information attackers can obtain in order to carry out an attack. ATM outlets are also widely used by several customers a large amount of information can be collected from these points. This will therefore be an area of study in this case. xvii
  18. 18. CHAPTER 2 LITERATURE REVIEW 2.1 MEANING & DEFINITION Reconnaissance refers to gathering information .Reconnaissance involves an attacker taking time to conduct detailed information before attack using publicly available information. Reconnaissance is the process by which a potential intruder will gain all of the information they need to know about an information system (IP Network Scanning and Security Reconnaissance ,Joe Eitel).Through reconnaissance phase, computer attackers can determine how best to mount their attack for success. According to an interview in the bank technology news October 2008 By Rebecca Sausner, reconnaissance leads to multi-channel fraud. This is a matter of interest in the information security in banks. Sophos, a popular site, found 16,000 Web pages per day newly infected with key logging or other malware in August 2010. This means online banking customers remain vulnerable to unauthorized access-the difference now is that online reconnaissance is merely the first step in a multi-channel fraud play. Security Curves Diana Kelley says tracking seemingly innocuous online activities requires analytics that are beyond most institutions' authentication xviii
  19. 19. firepower these days. Diana Kelley further says getting online and looking at the information in the account is actually a portion of the attack reconnaissance; the attacker is now finding out information that can be used in other channels, in other ways. A case with one particular financial institution where there appeared to be a standard wire transfer and the request had been faxed in, and it wasn't until they went back in the past [that they] were able to find there was somebody who had been looking at the account to see what was in there and get information. A lot of what went on during the reconnaissance didn't actually appear to be problematic. But if one thinks about what details banking accounts have right now, it can actually be a lot of information that can be used in a variety of ways (multi channel fraud). 2.2 RECONNAISANCE TECHNIQUES There are several techniques for reconnaissance in information systems however, the four most common are; lowtechnology reconnaissance, general web searches, who is databases, domain name system (DNS). (Penetration Testing and Network Defense October 2005Andrew Whitaker, Daniel Newman) 2.2.1 LOW TECHNOLOGY BASED TECHNIQUE Low-Technology Reconnaissance includes; Social Engineering, Physical Break-In and Dumpster Diving. A social engineering attack is one in which the intended victim is somehow tricked into doing the attacker's bidding. An example would be responding to a phishing email, following the link and entering your banking credentials on a fraudulent website. The stolen credentials are then used for everything from finance fraud to outright identity theft (Antivirus Software Blog by Mary Landesman, October 10, 2008). Social engineering also involve an attacker calling an employee at the target organization on the phone and deceives / fools the individual into revealing sensitive information that is the xix
  20. 20. attacker pretends to be an employee, a customer or supplier. Social engineering is a deception where the attacker develops a pretext for the call. A female voice on the phone is more likely to gain trust in a social engineering attack than a male voice, although attackers of either gender can be remarkably effective. the most effective method of defending against the social engineer is user awareness: computer users at all levels must be trained not to give sensitive information away to a friendly caller, the security awareness program should inform employees about social engineering attacks, and give explicit directions about information that should never be revealed over the phone, employees should not give out sensitive data(Social Engineering 101 (Q&A) by Elinor Mills August2010). Table 1: Some Common Social Engineering Pretexts A new employee calls the help desk trying to figure out how to do a particular task on the computer. A manager calls a lower-level employee because his password has suddenly stopped working A system administrator calls an employee to fix her account, which requires using her password. An employee in the field has lost his contact information and calls another employee to get the remote access phone number. Source: Prof John Durret, (Spring 2003), Reconnaissance and scanning page 53, Publisher: O'ReillyPub Letian Li ISQS 6342. Physical Break-In involves attackers with physical access to computer systems gaining access to accounts and data. Computer systems and networks are vulnerable to physical attack; therefore, procedures should be implemented to ensure that systems and networks are physically secure. Physical access to a system or network provides the opportunity for an intruder to damage, steal, or corrupt computer equipment, software, and information. Attackers may plant malicious programs on the xx
  21. 21. internal systems, giving them remote control capabilities of your systems from the outside (Federal Agency Security Practices. National Institute of Standards and Technology Web site: http://csrc.nist.gov/fasp/). Dumpster Diving (Trashing) is a fancy, glorified way of saying "trash picking". Dumpster diving, or trash picking, can lead to information which could be used to compromise a network or identity. If you discard bank statements, credit card statements or other sensitive information without first shredding or otherwise destroying it, you may be at risk for an attacker to gain information about you through dumpster diving (Tony Bradley, CISSP-ISSAP former About.com Guide). Basically, dumpster diving involves going through an organizations garbage, looking for sensitive information i.e. the attacker looks for discarded paper, floppy disks, tapes and even hard drives containing sensitive data. In the process the attacker may get a complete diagram of the network architecture user IDs and passwords. Effective methods of defending against dumpster diving could include: Paper shredders, and should be encouraged to use them for discarding all sensitive information. The awareness program must spell out how to discard sensitive information. 2.2.2 WEB BASED TECHNIQUE Another technique is web-based reconnaissance. A website is a virtual location on WWW, containing several subject or company related web pages and data files accessible through a browser. Each website has its own unique web address (see uniform resource locator) which can be reached through an internet connection(BusinessDictionary.com). In this technique an attacker uses a computer and internet resources to learn about the target organization that is determine the domain names, network addresses and contact xxi
  22. 22. information. This includes searching an Organizations Own Web Site. The organizations Web site could have useful information on the following: employees contact information with phone numbers. This information is useful particularly for social engineering. Clues about the corporate culture and the language can also be obtained. The site could include significant information about product offerings, work locations, and even the best employees. Digesting this information could be useful when conducting a social engineering attack. Business Partners can be found. This knowledge could be useful in social engineering; or, by attacking a weak partner, the target organization could ultimately be reached. Information about recent mergers and acquisitions can also be obtained. During mergers many organizations forget about the security issues & a skilful attacker may target an organization during a merger company being acquired may have a lower security position than the acquiring company, and the attacker can benefit by attacking the weaker organization. Technologies being used can also be shown. Some sites may include a description of the computing platforms in use (say, Windows NT, with an IIS Web Server, and an Oracle Database). Such information is useful for attackers, who will refine their attack based on this information (Mr Matt. Forum Italiano Discussione Utenti StoneGate- FIDUS- hacking tools reconnaissance). Using search engines, an attacker can retrieve information about the history, current events, and future plans of the target organization. For example organization name, product names, known employee names .Use of Usenet Newsgroups can also provide critical information. Internet Usenet newsgroups are used by employees to share information and ask questions. That is employees may submit questions about how to configure a particular type of system or troubleshoot problems. An attacker could send a response giving incorrect advice about how to configure the system tricking the user into lowering the security standing of the xxii
  23. 23. organization Web-Based Reconnaissance can be avoided by establishing policies regarding what type of information are allowed on your own Web servers; you do want to make sure that you are not making things extra easy for them by publishing sensitive information on your own Web site. The organization must have a policy regarding the use of newsgroups and mailing lists by employees. The policy must be enforced by periodically and regularly conducting searches of open, public sources such as the Web and newsgroups, to see what the world is saying about your organization (Kerry J. Cox, Christopher Gerg. Managing Security with Snort and IDS Tools August 2004Page 288). 2.2.3 WHO IS DATABASE TECHNIQUE The third technique is WHOIS databases. WHOIS databases are the lists of names, e-mail addresses, postal addresses, and telephone numbers for the holders of the millions of internet domain names. The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain name registries for many of the most important top-level domains, requires disclosure of this contact information( source:privacilla.org). According to L. Daigle (WHO IS Protocol Specification; September 2004) who is databases provide search for information about the domain names, people, computers, organizations, and name servers involved with administering the Domain Name Service (DNS). A core set of this data constitutes a unified database view shared by all of the domain name registrars An attacker can contact the targets registrar to obtain the following useful data: Names of persons complete registration information, i.e. the administrative, technical and billing contacts that an one can use to deceive people in the target organization during a social engineering attack. The telephone numbers associated with the contacts can be used by an attacker. Email addresses that will indicate (to an attacker) xxiii
  24. 24. the format of email addresses used in the target organization; the attacker will know how to address email for any user. Postal addresses that an attacker can use this geographic information to conduct dumpster-diving exercises or social engineering. Registration dates containing records that have not been recently updated may indicate an organization that is lax in maintaining their Internet connection for example not keep their servers or firewalls up to data either. Name Servers get the addresses for the DNS servers of the target. Who is Searches can be prevented by keeping the registration information (that will appear in the who is database) accurate and up to data. This information can let you inform an administrator of another network that their systems were used during the attack, if attack packets are traced to that network (David Lindsay, 2004 .Privacy law and policy reporter). 2.2.4 DOMAIN NAME SYSTEM The last technique is the Domain Name System. The DNS is a system that translates internet domain and host names to internet protocol addresses. DNS automatically converts the names typed in a web browser address bar to the IP addresses of Web servers hosting those sites (Bradley Mitchell, 2011 About.com Guide). DNS implements a distributed database to store this name and address information for all public hosts on the Internet. DNS assumes IP addresses do not change: are statically assigned rather than dynamically assigned. DNS is a component of the internet which is a hierarchical database distributed around the world and stores a variety of information, such as IP addresses, domain names and mail server information. DNS servers referred to as name servers store this information and make up the hierarchy (Ron Aitchison, Pro DNS and BIND Third Edition). Table 2: The Domain Name Service Hierarchy xxiv
  25. 25. Root DNS servers com DNS servers net DNS servers org DNS servers company.com DNS server The Domain Name Service (DNS) Hierarchy Source: Ron Aitchison, Pro DNS and BIND Third Edition, page 123. According to Elinor Mills a Security expert (August 21, 2008), domain name attack starts with an attacker aim to determine one or more DNS servers for the target organization which is readily available in the registration records obtained from the registrars who is database. Using the DNS server information, an attacker can use tools such as ns lookup to get DNS information. Through this tool, an attacker can interrogating name servers, by asking the DNS server to transmit all information it has about all systems associated with the given domain. Through DNS-based reconnaissance, an attacker can find extremely useful information such as: machine names and associated IP addresses, purpose of the machines and the operating system type. With this information, the machines can be scanned looking for vulnerabilities. DNS-based Reconnaissance can be prevented by having the amount of DNS information about the infrastructure that is publicly available should be limited. This is because the general public on the Internet only needs to resolve names for a small fraction of the systems in your enterprise (such as external Web, Mail and FTP servers). A Split DNS will allow you to separate the DNS records that one wants the public to access from your internal name: implement an internal DNS server and an external DNS server, separated by a firewall. The xxv
  26. 26. external DNS server contains only DNS information about those hosts that are publicly accessible; the internal DNS server contains DNS information for all your internal systems (D. Eastlake, 3rd Cyber Cash C. Kaufman Iris January 1997). Table 3: A split DNS Firewall Internal network Internet Internal DNSExternal DNS Internal System External System A Split DNS Source: Ron Aitchison, Pro DNS and BIND Third Edition, page 122 2.3 CONCEPTUAL FRAMEWORK xxvi AREAS AFFECTED BY RECONNAISANCE IN BANKS.
  27. 27. 1.7 GAPS TO BE FILLED This research aims in identify ways in which reconnaissance occurs in the banking industry, the areas affected by reconnaissance attacks and the awareness among the employees and customers of the bank. The banking industry/ sector is vulnerable to reconnaissance attacks which usually target weaknesses in the information system. In todays world most financial institutions have automated work processes and operations. Fraudsters/ attackers take advantage of the weaknesses of these advancements such as electronic xxvii Banking Information Systems WAYS IN WHICH RECONNAISANCE IN DONE IN BANKS. AWARENESS OF RECONNAISANCE.
  28. 28. banking, mobile banking, internet banking and use of ATMs to defraud banks and customers. They have adopted the latest reconnaissance technology to gain information. The findings of these research provides useful techniques in areas such as information system security policies, forensic investigations and internal and external audit trails in the banking industry to prevent reconnaissance attacks. xxviii
  29. 29. CHAPTER 3 RESEARCH METHODOLOGY 3.1 INTRODUCTION This chapter describes the methodology adapted in the survey. It explains the research design population and the sample size, sample design, data collection instruments/tools, data collection procedures, data presentation and analysis techniques used. 3.2 RESEARCH DESIGN The survey will be conducted at Co-operative Bank Kenyatta Avenue branch in Makupa Mombasa. It involves use of interviews, detailed questionnaires and observations of the information systems in order to data for the research. These will include both employees of the bank based at Kenyatta Avenue branch and customers who operate accounts with the bank. 3.3 POPULATION AND SAMPLE SIZE According to the operations manager, the branch has twenty five employees. This is a reachable group and therefore the study interviews and questionnaires was carried out on all the employees. The branch has a total of 3,500 customers at the moment although the number is growing; a sample of 60 customers using different products and services will be involved in this study which is 2% of the entire population. 3.4 SAMPLING DESIGN The bank has several branches across the country and therefore it will be cumbersome to conduct the research in all branches. However most of the operations in the different xxix
  30. 30. branches are the same therefore one branch in this case Kenyatta Avenue will provide an adequate sample. All staff of the branch will be involved. The bank has several products and services for instance; savings and current accounts, mobile banking, internet banking, personal and business loans, ATM services, debit and credit card facilities. In sampling, the study will incorporate customers of various products and services so as to assess the extent to which information can be obtained about confidential details and the banks information system as follows: Category Number Staff 25 Account customers 10 Mobile banking customer 10 Internet banking customers 10 Personal and Business loan customers 10 ATM customers 10 Debit and Credit card customers 10 TOTAL 85 3.5 DATA COLLECTION INSTRUMENTS/TOOLS This study will use both primary and secondary data collection tools. The main primary data collection tools to be used are questionnaires, interview and observations. The main secondary data collection tools to be used are journals, articles from the IT security and forensic department and internet articles. 3.6 DATA COLLECTION PROCEDURES To collect data simple questionnaires were prepared in advance. The questionnaires are then distributed to the staff and customers. I also found time to sit with various employees to xxx
  31. 31. interview them in order to obtain for information that could not be captured by the questionnaires. They study also involves taking routine walks through the system, work procedure, the products and services in order to conduct observe areas relevant to the study. Finally, I looked for bank articles and journals some from the security department to provide more information on the study. 3.7 DATA PRESENTATION AND ANALYSIS TECHNIQUES The study will involve the use of SPSS statistical software for analysing data and bar charts, tables and graphs for representation and analysis. xxxi
  32. 32. CHAPTER 4 DATA PRESENTATION AND ANALYSIS 4.1 Introduction: This chapter presents the analysis of the data collected from the questionnaires of both the staff and the customers of the bank. The data is presented and analyzed with the help of tables, graphs and charts. Response rate: Seventy 70 questionnaires were distributed, twenty five were distributed to the staff of the Kenyatta avenue cooperative branch, all were answered and returned, none was lost. On the other hand, 60 questionnaires were distributed to customers among them fifty one were answered and returned while seven were never returned. Table 4.1 Staffs response Rate responded Frequency Percentage Responded 25 100 None responded 0 0 Total 25 100 Source: Research Data (2011) Table 4.2 Customers responses Rate responded Frequency Percentage Responded 51 85 None responded 9 15 Total 60 100 Source: Research Data (2011) Staffs Response 4.2 Section xxxii
  33. 33. When the staffs were asked to state which section they work in they responded as shown in the table below: Table 4.3 Which section do you work in? Frequenc y Percent Valid Percent Cumulative Percent Valid managemen t 3 12.0 12.0 12.0 supervisor 4 16.0 16.0 28.0 clerk 18 72.0 72.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study revealed that majority of the staff at the Co-operative Kenyatta avenue branch are clerks that is 72% are clerks, 16% are supervisors while12% are in the management. 4.3 Staff Gender When the staff were asked to state what is their gender they responded as shown in the table below: Table 4.4 What is your gender? Frequenc y Percent Valid Percent Cumulative Percent Valid male 15 60.0 60.0 60.0 female 10 40.0 40.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study showed that males are more than the female staff. The male are 60% while the female are 40% of branch population. 4.4 Staff Age category When the staff were asked to respond to their age category in years , they responded as shown below: Table 4.5 What is your age category? xxxiii
  34. 34. Frequenc y Percent Valid Percent Cumulative Percent Valid below 25 4 16.0 16.0 16.0 (25-35) 18 72.0 72.0 88.0 (36-45) 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that most of the staff in the branch are between (25-35 years). The staffs below 25 years are 16%, between 25 - 35 are 72% and between (36-45) are 12%. 4.5 Duration worked with the Bank (Staff) When asked how long the staff had worked in the organization in years they responded as shown below: Table 4.6 For how long have you been working in this organisation? Frequenc y Percent Valid Percent Cumulative Percent Valid less than one year 4 16.0 16.0 16.0 between (1-2) 11 44.0 44.0 60.0 between (3-5) 5 20.0 20.0 80.0 between 6-10 3 12.0 12.0 92.0 xxxiv
  35. 35. Above 10 2 8.0 8.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study reveals that 44% of the staff had worked between 1-2 years, 20 % between 3-5 years, 16% less than one year, 12% between 6-10 years and 8% above 10years. This shows that majority of the staff in the branch have less than 5 years in the bank. 4.6 Highest academic qualifications(Staff) When asked the highest academic qualification the staff responded as shown below: Table 4.7 What is your highest academic qualification? Frequenc y Percent Valid Percent Cumulative Percent Valid diploma 3 12.0 12.0 12.0 first degree 19 76.0 76.0 88.0 post graduate 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study reveals that the majority of the staff are degree holders. First degree are 76%, post graduate are 12% and diploma holders are 12%. This shows that most staff are highly educated. 4.7 Electronic banking (Staff) xxxv
  36. 36. When asked about safe guarding if information in electronic banking for example direct debits the staff responded as shown below: Table 4.8 Electronic banking for example direct debits Frequenc y Percent Valid Percent Cumulative Percent Valid agree 22 88.0 88.0 88.0 strongly agree 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in electronic banking that is 88% while 12% strongly agree. This shows effective information system security in the e-baking. 4.8 Handling of cheques (Staff) When asked about the safeguarding of information when handling cheques the staff responded as shown below: Table 4.9 Handling of cheques Frequenc y Percent Valid Percent Cumulative Percent Valid agree 22 88.0 88.0 88.0 strongly agree 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) xxxvi
  37. 37. strongly agreeagree Handling of cheques 100 80 60 40 20 0 Percent Handling of cheques Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in handling of cheques that is 88% while 12% strongly agree. This shows effective information system security in the cheque transactions. 4.9 Money transfers services for example money gram and swift (Staff) When asked about the safeguarding of information on money transfers for example swift and money gram the staff responded as shown below: xxxvii
  38. 38. Table 4.10 Money transfers services for example money gram and swift Frequenc y Percent Valid Percent Cumulative Percent Valid agree 19 76.0 76.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in money transfer services that is 76% while 24% strongly agree. This shows that there is an effective information system security in the money transfers services. 4.10 Loan applications business and personal loans (Staff) When asked about the safeguarding of information in loan applications in the business and personal loans the staff responded as shown below: Table 4.11 loan applications business and personal loans Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 8 32.0 32.0 32.0 agree 12 48.0 48.0 80.0 strongly agree 5 20.0 20.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in loan an application that is 48% while 32% are not sure and 24% strongly agree. This shows that the information system security in the loan applications is effective but has some uncertainty. 4.11 Staff use of credit cards When asked about safeguarding of information in the use of credit cards the staff responded as shown below: xxxviii
  39. 39. Table 4.12 use of credit cards Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 10 40.0 40.0 40.0 agree 11 44.0 44.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in the use of credit cards that is 44% while 40% are not sure which is also a high number and 16% are strongly agree. This shows that the information system security in the use of credit cards is effective but there is some element of doubt/ uncertainty by other staff members. 4.12 Internet banking When asked about safeguarding of information in internet banking the staff responded as shown below: Table 4.13 internet banking Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 5 20.0 20.0 20.0 agree 14 56.0 56.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) xxxix
  40. 40. strongly agreeagreenot certain internet banking 60 50 40 30 20 10 0 Percent internet banking Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in internet banking that is 56%, 24% strongly agree and 20% are not sure. This shows that the information system security in internet banking is effective but there is some uncertainty. 4.13 Account transactions: deposit withdrawals and enquiries When asked about safeguarding of information in account transactions deposits, withdrawals and enquiries the staff responded as shown below: Table 4.14 Account transactions: deposit withdrawals and enquiries Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 1 4.0 4.0 4.0 agree 19 76.0 76.0 80.0 strongly 5 20.0 20.0 100.0 xl
  41. 41. agree Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in account transactions that is 76%, 20% strongly agree and 4% are not sure. This shows that information system security in account transactions is effective but there is some uncertainty. 4.14 Use of the ATM and debit cards When asked about safeguarding of information in the use of the ATM and debit cards the staff responded as shown below: Table 4.15 Use of the ATM and debit cards Frequenc y Percent Valid Percent Cumulative Percent Valid strongly disagree 1 4.0 4.0 4.0 disagree 2 8.0 8.0 12.0 agree 16 64.0 64.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) xli
  42. 42. strongly agreeagreedisagreestrongly disagree use of the ATM and debit cards 70 60 50 40 30 20 10 0 Percent use of the ATM and debit cards Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in the use of the ATM and a debit card that is 64%, 24% strongly agree, 8% disagree and 4% strongly disagree. This shows that although information system security is effective in the use of the ATM and debit cards there are some vulnerability. 4.15 Mobile banking services When asked about the safeguarding of information in mobile banking services the staff responded as shown below: Table 4.16 Mobile banking services Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 2 8.0 8.0 8.0 xlii
  43. 43. disagree 2 8.0 8.0 16.0 agree 17 68.0 68.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) strongly agreeagreedisagreenot certain Mobile banking services 70 60 50 40 30 20 10 0 Percent Mobile banking services Source: Research Data (2011) The study shows that majority of the staff agree with the safeguarding of information in mobile banking that is 68%, 16% strongly agree, 8% disagree and 8% are not certain. This shows that although information system security is effective in mobile banking there are some vulnerabilities and threats to this service. 4.16 Aspects of social engineering xliii
  44. 44. When asked which aspects of social engineering they had encountered the staff responded as follows: Table 4.17 Which of the following aspects of social engineering have you encountered? Frequenc y Percent Valid Percent Cumulative Percent Valid a colleague /a new employee calling the help desk 13 52.0 52.0 52.0 a system admin calls to fix your account 5 20.0 20.0 72.0 an employee has lost his contact info and calls 7 28.0 28.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff had a colleague /new employee calling from a helpdesk which was 52% of the respondents, 28% had an employee who lost his info calling, and 20% had a system administrator calling to fix his account. This study reveals evidence of social engineering aspects in the information system which is a technique that can be used to carry out reconnaissance attacks. xliv
  45. 45. an employee has lost his contact info and calls a system admin calls to fix your account a collegue /a new employee calling the help desk Which of the following aspects of social engineering have you encountered? 60 50 40 30 20 10 0 Percent Which of the following aspects of social engineering have you encountered? Source: Research Data (2011) 4.17 Physical breaks ins When asked which experiences they had encountered in terms of physical break ins/ access to the computer the staff responded as follows: xlv
  46. 46. Table 4.18 Which of the following experiences have you encountered in terms of physical break ins/access to the computer Frequenc y Percent Valid Percent Cumulative Percent Valid corrupted files and document 7 28.0 28.0 28.0 accessed files 5 20.0 20.0 48.0 unavailable password/user 2 8.0 8.0 56.0 none of the above 11 44.0 44.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) none of the aboveunavailable password/user accessed filescorrupted files and document Which of the following experiences have you encountered in terms of physical break ins/access to the computer 50 40 30 20 10 0 Percent Which of the following experiences have you encountered in terms of physical break ins/access to the computer Source: Research Data (2011) xlvi
  47. 47. The study shows that majority of the staff had not experienced any physical break ins that is 44%, however 28% of the respondents had their files corrupted, 20% had their files accessed and 8% had unavailable password/user. This study reveals evidence of some aspects of physical break ins in the information system a technique that can be used to carry out reconnaissance attacks. 4.18 Leaving the work station When asked what they do when leaving the work station /computer the staff responded as shown below: Table 4.19 What do you do when leaving your work station/computer? Frequency Percent Valid Percent Cumulative Percent Valid minimise files 7 28.0 28.0 28.0 close files 10 40.0 40.0 68.0 lock/turn off the computer 7 28.0 28.0 96.0 not sure 1 4.0 4.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff close files in their computers when leaving the work station that is 40%, 28% of the respondents minimize their files and 28% lock off the computer while 4% are not sure. Thus the study reveals that most staff do not lock/turn off their when leaving. xlvii
  48. 48. 4.19 Disposal When asked how they dispose customers waste papers/ materials such as bills, bank statements, ATM receipts and credit card offers the staff responded as shown below: Table 4.20 How do you dispose customers waste papers/ materials such as bills, bank statements, ATM, receipts and credit card offers? Frequenc y Percent Valid Percent Cumulative Percent Valid throw in the waste 18 72.0 72.0 72.0 fold and disposal 2 8.0 8.0 80.0 shred 3 12.0 12.0 92.0 file 2 8.0 8.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff throw the waste material of customers that is 72%, only 12% of the respondents shred the customer waste details, 8% file and 8% fold when disposing. Thus the study reveals that most staff do not shred customer trash and dumpster diving a reconnaissance technique can be adopted. 4.20 Forms of enquires When asked what forms of enquiries they had used to disclose customer information in addition to actual customer visits the staff responded as shown below: xlviii
  49. 49. Table 4.21 What forms of enquires have you used to disclose customer information in addition to the actual customer visit? Frequency Percent Valid Percent Cumulative Percent Valid a close and trusted third party(relative/friend) 4 16.0 16.0 16.0 telephone 16 64.0 64.0 80.0 none of the above 5 20.0 20.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) none of the abovetelephonea close and trusted third party (relative/friend) What forms of enquries have you used to disclose customer information in addition to the actual customer visit? 70 60 50 40 30 20 10 0 Percent What forms of enquries have you used to disclose customer information in addition to the actual customer visit? Source: Research Data (2011) xlix
  50. 50. The study shows that majority of the staff disclose customer details on telephone that is 64%, 20% of the respondents do not provide information other than to the actual customer, 16% disclose to close people and trusted third partys. Thus the study reveals that some staff disclose customer information to other people other than the actual customer. 4.21 Sharing User Details When asked with whom they had shared their details such as user names, passwords staff responded as shown below: Table 4.22 With whom have you shared with customer details such as user names, passwords and account numbers? Frequenc y Percent Valid Percent Cumulative Percent Valid a colleague 3 12.0 12.0 12.0 never shared 22 88.0 88.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff have never shared their user details 88%, while 12% of the respondents have shared with a colleague. Thus the study reveals that although some staff have never shared others have provide their users to colleagues. 4.23 Organizations website When asked what useful information they had ever obtained from the organizations website the staff responded as shown below: Table 4.24. What useful information have you ever obtained from the organisations website? Please tick as many as possible. Frequenc Percent Valid Cumulative l
  51. 51. y Percent Percent Valid employees contact information (phone numbers and e-mail info 3 12.0 12.0 12.0 products/services information 8 32.0 32.0 44.0 best employee info 3 12.0 12.0 56.0 recent mergers 5 20.0 20.0 76.0 work locations 3 12.0 12.0 88.0 business partners 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff can obtain a variety of information from the organizations website. The organization website contains 32% information on products and services, 20% information on recent mergers, 12% information on employees, best employees, work locations and business partners each. 4.24 Disposal of customer details When asked about proper disposal of customer details the staff responded as shown below: Table 4.25 Proper disposal of customer details Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 1 4.0 4.0 4.0 disagree 1 4.0 4.0 8.0 li
  52. 52. agree 19 76.0 76.0 84.0 strongly agree 3 12.0 12.0 96.0 6.00 1 4.0 4.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) 6.00strongly agreeagreedisagreenot certain Proper disposal of customer details 80 60 40 20 0 Percent Proper disposal of customer details Source: Research Data (2011) The study shows that majority of the staff agree the proper disposal of customer details 76% however others such as not certain, disagree are 4% while strongly agree is 12%. Thus the study shows that customer details are well disposed. 4.25 Level of confidentiality of customer details When asked about the level of confidentiality of customer bank details the staff responded as shown below: lii
  53. 53. Table 4.26 Level of confidentiality of customer details Frequenc y Percent Valid Percent Cumulative Percent Valid strongly disagree 1 4.0 4.0 4.0 agree 22 88.0 88.0 92.0 strongly agree 2 8.0 8.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree on the high level of confidentiality 88%, 8% strongly agree and 4% strongly disagree. Therefore the study shows that customer details are usually kept confidential. 4.26 Entrusting third party with customer details When asked about the entrusting of third party with bank details of customers the staff responded as shown below: TABLE 4.27 Entrusting third party with customer details Frequency Percent Valid Percent Cumulative Percent Valid strongly disagree 1 4.0 4.0 4.0 disagree 2 8.0 8.0 12.0 agree 18 72.0 72.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree on not entrusting customer details to third parties that is 72%, 16% strongly agree, 8% disagree and 4% strongly disagree. Therefore the liii
  54. 54. study shows that customer details are not to be entrusted to third parties although some employees breach this. strongly agreeagreedisagreestrongly disagree entrusting third party with customer details 80 60 40 20 0 Percent entrusting third party with customer details Source: Research Data (2011) 4.27 Provision of customer details on telephone When asked about the provision of customer details on telephone the staff responded as shown below: Table 4.28 Provision of customer details on telephone liv
  55. 55. Frequenc y Percent Valid Percent Cumulative Percent Valid disagree 3 12.0 12.0 12.0 agree 18 72.0 72.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree that they do not provide customer details on phone 72%, 16% strongly agree and 12% disagree. Therefore the study shows that customer details are not to be to be provided on telephone although some staff breach this. 4.28 When asked about the use of the internet www in providing / obtaining information the staff responded as shown below: Table 4.29 Use of the internet www in providing customer information Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 1 4.0 4.0 4.0 agree 20 80.0 80.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree that they do not provide customer details on the internet 80%, 16% strongly agree and 4% disagree. Therefore the study shows that customer details are not to be to be provided over the internet although a small part of the staff breach this. lv
  56. 56. strongly agreeagreenot certain Use of the internet www in providing customer information 80 60 40 20 0 Percent Use of the internet www in providing customer information Source: Research Data (2011) 4.29 Procedures implemented to ensure physical security of systems/ networks When asked about the procedures implemented to ensure physical security of the system and network the staff responded as shown below: Table 4.30 Procedures implemented to ensure physical security of systems/ networks lvi
  57. 57. Frequenc y Percent Valid Percent Cumulative Percent Valid agree 22 88.0 88.0 88.0 strongly agree 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study shows that majority of the staff agree that the procedures implemented to ensure physical security are effective that is 88%and 12% strongly agreed. Therefore the study shows that the bank has safe physical security devices and procedures. strongly agreeagree procedures implemented to ensure physical security of systems/ networks 100 80 60 40 20 0 Percent procedures implemented to ensure physical security of systems/ networks Source: Research Data (2011) 4.30 Training lvii
  58. 58. When asked how often training on information system protection is done the staff responded as shown below: Table 4.31 How often is information systems protection done? Frequenc y Percent Valid Percent Cumulative Percent Valid quarter ly 25 100.0 100.0 100.0 Source: Research Data (2011) The study shows that all staff agreed that the training on information system security is done quarterly. Customers responses: 4.31 Gender (Customers) When asked about their gender customer responses were as follows: Table 4.32 What is your gender? Frequenc y Percent Valid Percent Cumulative Percent Valid male 33 64.7 64.7 64.7 female 18 35.3 35.3 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study showed that males are more than the female customers. The male are 64.7% while the female are 35.3% of branch customers. lviii
  59. 59. femalemale What is your gender? 40 30 20 10 0 Frequency What is your gender? Source: Research Data (2011) 4.32 Age category (in years), customers When asked about age category (in years), customers responded as follows: Table 4.33 What is your age category in years? Frequency Percent Valid Percent Cumulative Percent Valid below 25 7 13.7 13.7 13.7 (26-35) 23 45.1 45.1 58.8 (36-45) 16 31.4 31.4 90.2 (46-55) 2 3.9 3.9 94.1 Above 3 5.9 5.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that most of the customers are between (26-35 years). The customers below 25 years are 13.7%, between 26- 35years are 45.1%, between (36-45years) are 31.4%, between (46-55years) are 3.9% and above 55 are 5.9%. lix
  60. 60. 4.33 Number of years they had been with the bank customers When asked the number of years they had been with the bank customers response were as follows: Table 4.34 How many years have you been a customer with this bank? Frequenc y Percent Valid Percent Cumulative Percent Valid below 1 3 5.9 5.9 5.9 (1-3) 13 25.5 25.5 31.4 (3-5) 20 39.2 39.2 70.6 (5-8) 5 9.8 9.8 80.4 Above 8 10 19.6 19.6 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study reveals that 39.2% of the customers had been in the bank between 3-5 years, 25.5 % between 1-3 years, 19.6% above 8 years , 9.8% between 5-8 years and 5.9% below one year. This shows that majority of the customers of the have been there for less than 5 years. lx
  61. 61. Above 8(5-8)(3-5)(1-3)below 1 How many years have you been a customer with this bank? 20 15 10 5 0 Frequency How many years have you been a customer with this bank? Source: Research Data (2011) 4.34 Electronic banking When asked about safeguarding of information in electronic banking for example direct debit instructions customers responded as follows: Table 4.35 Electronic banking for example direct debits Frequency Percent Valid Percent Cumulative Percent Valid not certain 5 9.8 9.8 9.8 strongly disagree 1 2.0 2.0 11.8 disagree 1 2.0 2.0 13.7 agree 43 84.3 84.3 98.0 strongly agree 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in electronic banking that is 84.3% while 2% strongly agree, disagree, strongly disagree and 9.8% are uncertain. This shows an effective information system security in the e-banking. lxi
  62. 62. 4.35 Handling of Cheques When asked about the safeguarding of information in handling of cheques the customers responded as follows: Table 4.36 Handling of cheques Frequenc y Percent Valid Percent Cumulative Percent Valid not certain 16 31.4 31.4 31.4 agree 34 66.7 66.7 98.0 strongly agree 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) strongly agreeagreenot certain Handling of cheques 40 30 20 10 0 Frequency Handling of cheques Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in handling of cheques that is 66.67%, 31.4 % are not certain while 2% strongly agree. This shows effective information system security in the cheque transactions. lxii
  63. 63. 4.36 Money transfers services When asked about safeguarding of information in money transfers for example money gram and swift the customers responded as follows: Table 4.37 Money transfers services for example money gram and swift Frequency Percent Valid Percent Cumulative Percent Valid not certain 10 19.6 19.6 19.6 agree 41 80.4 80.4 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in money transfer services that is 80.4% while 19.6% are not certain. This shows that there is an effective information system security in the money transfers services although some customers are not aware. 4.37 Loan applications When asked about safeguarding of information in loan applications in business and personal loans the customers responded as follows: Table 4.38 loan applications business and personal loans Frequency Percent Valid Percent Cumulative Percent Valid not certain 27 52.9 52.9 52.9 agree 24 47.1 47.1 100.0 Total 51 100.0 100.0 Source: Research Data (2011) lxiii
  64. 64. agreenot certain loan applications business and personal loans 30 25 20 15 10 5 0 Frequency loan applications business and personal loans Source: Research Data (2011) The study shows that majority of the customers are not sure with the safeguarding of information in loan applications that is 52.9% while 47.1% agree. This shows that the information system security in the loan applications is effective but not certain. 4.38 Use of credit cards When asked about safeguarding of information in the use of credit cards the customers responded as follows: Table 4.39 use of credit cards Frequency Percent Valid Percent Cumulative Percent Valid not certain 29 56.9 56.9 56.9 agree 20 39.2 39.2 96.1 strongly agree 2 3.9 3.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers are not certain about the safeguarding of information in the use of the ATM and debit cards that is 56.9%, 39.2% agree that lxiv
  65. 65. information systems are safeguarded and 3.9% strongly disagree. This shows that although information system security is effective in the use of the ATM and debit cards there are some vulnerabilities. 4.39 Internet banking When asked about safeguarding of information in internet banking the customers responses were as follows: Table 4.40 Internet banking Frequency Percent Valid Percent Cumulative Percent Valid not certain 27 52.9 52.9 52.9 agree 23 45.1 45.1 98.0 strongly agree 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) lxv
  66. 66. strongly agreeagreenot certain internet banking 30 25 20 15 10 5 0 Frequency internet banking Source: Research Data (2011) The study shows that majority of the customers are not certain about the safeguarding of information in internet banking that is 52.9%, 45.1% agree that information systems are safeguarded and 2% strongly agree. This shows that although information system security is effective in internet banking there are some vulnerabilities. 4.40 Account transactions When asked about the safe guarding of information in account transaction such as deposits, withdrawals and enquiries customers responses were as follows: Table 4.41: Account transactions: deposit withdrawals and enquiries Frequency Percent Valid Percent Cumulative Percent Valid not certain 16 31.4 31.4 31.4 agree 33 64.7 64.7 96.1 strongly agree 2 3.9 3.9 100.0 Total 51 100.0 100.0 lxvi
  67. 67. Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in account transactions that is 64.7%, 31.4% are not certain that information systems are safeguarded and 3.9% strongly agree. This shows that although information system security is effective in account transactions. 4.41 Use of the ATM and debit cards When asked about the safeguarding of information in the use of the ATM and debit cards the customers responded as follows: Table 4.42 Use of the ATM and debit cards Frequency Percent Valid Percent Cumulativ e Percent Valid not certain 12 23.5 23.5 23.5 agree 37 72.5 72.5 96.1 strongly agree 2 3.9 3.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in the use of ATM and debit cards that is 72.5%, 23.5% are not certain that information systems are safeguarded and 3.9% strongly agree. This shows that although information system security is effective in the use of ATM and debit cards 4.42 Mobile banking services lxvii
  68. 68. When asked about the safeguarding of information in mobile banking services customers responded as follows: Table 4.43 Mobile banking services Frequency Percent Valid Percent Cumulative Percent Valid not certain 9 17.6 17.6 17.6 agree 42 82.4 82.4 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers agree with the safeguarding of information in mobile banking that is 82.4%, and 17.6% are not certain that information systems are safeguarded and 3.9% strongly agree. This shows that although information system security is effective in mobile banking but is also vulnerable. lxviii
  69. 69. agreenot certain Mobile banking services 50 40 30 20 10 0 Frequency Mobile banking services Source: Research Data (2011) 4.43 Social engineering When asked which aspect of social engineering they had encountered customers responded as follows: Table 4.44Which of the following aspects of social engineering have you encountered? Frequency Percent Valid Percent Cumulative Percent lxix
  70. 70. Valid an employee / agent of the bank calling to ask about details 10 19.6 19.6 19.6 a manager calling because he wants to update your acc 4 7.8 7.8 27.5 a bank representative calls to fix your acc 36 70.6 70.6 98.0 none of the above 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers had received a call from a bank representative to fix an account this was 70.6% of the respondents, 19.6% of the customers had an employee / agent of the bank calling to ask about details and 7.8% had a manager calling because he wants to update their acc. This study reveals evidence of social engineering aspects in the information system. This is a technique that can be used to carry out reconnaissance attacks. lxx
  71. 71. none of the abovea bank representative calls to fix your acc a manager calling because he wants to update your acc an employee / agent of the bank calling to ask about details Which of the following aspects of social engineering have you encountered? 40 30 20 10 0 Frequency Which of the following aspects of social engineering have you encountered? Source: Research Data (2011) 4.44 Disposal of customer details When asked how they dispose customer information such as bills, bank statements, ATM receipts and credit card offers customers responded as follows: Table 4.45 How do you dispose off your customer information such as bills bank statements, ATMS? Frequency Percent Valid Percent Cumulative Percent Valid throw in the waste bin 43 84.3 84.3 84.3 fold and dispose 7 13.7 13.7 98.0 burn/shred 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) lxxi
  72. 72. The study shows that majority of the customers throw their waste material in bins 84.3%, 13.7% of the respondents fold and dispose their wastes while 2% fold when disposing. Thus the study reveals that most customers do not shred/burn customer trash and therefore dumpster diving a reconnaissance technique can be adopted. burn/shredfold and disposethrow in the waste bin How do you dispose off your customer information such as bills bank statements, ATMS? 50 40 30 20 10 0 Frequency How do you dispose off your customer information such as bills bank statements, ATMS? Source: Research Data (2011) 4.45 Sharing of customer details When asked with whom they share their details with customers responses were as follows: lxxii
  73. 73. Table 4.46 With whom do you share your customer details? Frequency Percent Valid Percent Cumulative Percent Valid relative 2 3.9 3.9 3.9 none 12 23.5 23.5 27.5 financial institutions 37 72.5 72.5 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers have shared their details with financial institutions 72.5%, while 23.5% of the respondent customers have never shared their information. 3.9% of customers have shared their customer details with their relatives. Thus the study reveals that although customers have shared their customer detail which is not allowed. 4.46 Keeping your customer documentation When asked where they keep their customer documentation (ATM/Debit cards, credit cards, and national ID and bank statements) customers responded as follows: Table 4.47 Where do you keep your customer documentation? Frequency Percent Valid Percent Cumulative Percent Valid home 22 43.1 43.1 43.1 in a safe at home 3 5.9 5.9 49.0 wallet and purse 23 45.1 45.1 94.1 office 3 5.9 5.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers keep their customer documentation in their wallet/purse and at home 45.1% and 43.1% respectively. Other customers keep their lxxiii
  74. 74. documents in a safe at home and in the office both at 5.9%. Thus the study reveals that customers are usually careful with their documentation customer detail which is not allowed. 4.47 Privacy When asked how private is the storage place where they keep their documentation ( ATM/Debit cards, credit cards, national ID and bank statements) customers responded as follows: Table 4.48 How private is the storage area where you keep your customer documentation? Frequency Percent Valid Percent Cumulative Percent Valid very private 5 9.8 9.8 9.8 private 24 47.1 47.1 56.9 not sure 22 43.1 43.1 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers value privacy although some are not sure of privacy as follows. 47.1% of the customers consider their storage private, 43.1% are not sure and 9.8 % consider there storage as very private. 5.9%. Thus the study reveals that customers information privacy varies. lxxiv
  75. 75. not sureprivatevery private How private is the storage area where you keep your customer documentation? 25 20 15 10 5 0 Frequency How private is the storage area where you keep your customer documentation? Source: Research Data (2011) 4.48 Loss of ATM When asked whether they had ever lost their ATM cards customer responses were as follows: Table 4.49Have you ever lost your ATM card/ customer details? Frequency Percent Valid Percent Cumulative Percent Valid no 4 7.8 7.8 7.8 yes 47 92.2 92.2 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers 92.2% have lost their ATM cards against 7.8% who have not. Thus the study reveals that customers information privacy varies. lxxv
  76. 76. 4.49Action taken after the loss of the ATM When customers who had lost their ATMs were asked what they did about it they responded as follows: Table 4.50 If yes, what did you do about it? Frequency Percent Valid Percent Cumulative Percent Valid nothing 1 2.0 2.1 2.1 reported the case to the police 8 15.7 16.7 18.8 reported the case to the bank 39 76.5 81.3 100.0 Total 48 94.1 100.0 Missin g System 3 5.9 Total 51 100.0 Source: Research Data (2011) The study shows that majority of the customers who had lost their ATMs reported the case to the bank this was 76.5%, 15.7% reported the case to the police and 2%did nothing. Thus the study reveals that most customers are aware of the right action to take although not all. 4.50 Duration before reporting When customers who had reported to the bank were asked how long they took to report the incident they responded as follows: Table 4.51If you reported to the bank, how long did it take you to report the incident? lxxvi
  77. 77. Frequency Percent Valid Percent Cumulative Percent Valid immediately 3 5.9 6.3 6.3 after a month 2 3.9 4.2 10.4 after a few days 15 29.4 31.3 41.7 never reported 1 2.0 2.1 43.8 after a week 27 52.9 56.3 100.0 Total 48 94.1 100.0 Missin g System 3 5.9 Total 51 100.0 Source: Research Data (2011) The study shows that majority of the customers reported the incident after a week these was 52.9% of the respondents,29.4% of the respondents reported after a few days , 5.9 reported immediately , 3.9% after a month and 2% were not sure. Thus the study reveals that most customers despite reporting the lost of ATM they do it immediately. 4.51 Documentation have you lost through physical break ins When asked what other documentation they had lost through physical break ins the customers responded as follows: Table 4.52 What other customer documentation have you lost through physical break ins? Frequenc y Percent Valid Percent Cumulative Percent Valid national ID 33 64.7 64.7 64.7 bank plate 14 27.5 27.5 92.2 bank statement 3 5.9 5.9 98.0 none 1 2.0 2.0 100.0 lxxvii
  78. 78. Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers reported several documentations through physical break ins as follows national ID 64.7%, bank plate 27.5%, bank statement 5.9%, none 2%. Thus the study reveals that most customers have lost several customer documentations in addition to the ATM card. nonebank statementbank platenational ID What other customer documentation have you lost through physical break ins? 40 30 20 10 0 Frequency What other customer documentation have you lost through physical break ins? Source: Research Data (2011) 4.52 Organizations website When asked what useful information can be obtained from the banks website the customers responded as follows: Table 4.53What useful information have you ever obtained from the banks website? lxxviii
  79. 79. Frequency Percent Valid Percent Cumulative Percent Valid employee contact information 4 7.8 7.8 7.8 products/services info 26 51.0 51.0 58.8 best employee information 2 3.9 3.9 62.7 recent mergers 4 7.8 7.8 70.6 work location 1 2.0 2.0 72.5 business partners 11 21.6 21.6 94.1 others 3 5.9 5.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority customers obtain a variety of information from the organizations website. The organization website contains 51% information on products and services, 21.6%information on business partners, 7.8% information on recent mergers, 3.9% information on employees, best employees, and 2%work locations. Thus the study reveals that plenty of information is can be obtained from the organizations website. 4.53 Leaving receipts When asked whether they leave receipts at ATM , bank counters or attended gasoline pumps customers responded as follows: Table 4.54 Do you leave receipts at ATM, bank counters or unattended gas pumps? Frequenc y Percent Valid Percent Cumulative Percent Valid yes 51 100.0 100.0 100.0 lxxix
  80. 80. yes Do you leave receipts at ATM, bank counters or unattended gas pumps? 60 50 40 30 20 10 0 Frequency Do you leave receipts at ATM, bank counters or unattended gas pumps? Source: Research Data (2011) The study shows that all customers leave their receipts at ATM points, bank counters or unattended gas pumps. Thus the study reveals that customers are not aware of the risk that customer information should not be left anywhere. 4.54 Records of Customer details When asked whether they record social security numbers or passwords on paper and store them in wallet /purse the customers responded as follows: Table 4.55 Do you record your social security number/passwords on paper and store them in your wallet/purse? Frequenc Percent Valid Cumulative lxxx
  81. 81. y Percent Percent Valid yes 51 100.0 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers record their social security number/passwords on paper and store them in your wallet/purse. yes Do you record your social security number/passwords on paper and store them in your wallet/purse? 60 50 40 30 20 10 0 Frequency Do you record your social security number/passwords on paper and store them in your wallet/purse? Source: Research Data (2011) 4.55 Disclosure of bank account details on websites When asked whether they have ever disclosed bank account numbers, credit card numbers or any other personal financial details on website on line service locations unless they had received a secured authentication key from the provider customers responded as follows: Table 4.56 Have you ever disclosed your bank account details on and website? lxxxi
  82. 82. Frequenc y Percent Valid Percent Cumulative Percent Valid yes 1 2.0 2.0 2.0 no 50 98.0 98.0 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers do not disclose their bank account details on and website 98%compared to those who disclose 2%. The study reveals that most customers are aware of the implications of having their information on websites. 4.56 Sharing your financial details in internet forums When asked whether they share financial details in internet forums/on line sites the customers responded as follows: Table 4.57Do you share your financial details in internet forums Frequenc y Percent Valid Percent Cumulative Percent Valid yes 3 5.9 5.9 5.9 no 48 94.1 94.1 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study shows that majority of the customers do not share their bank account details on and website 94.1%compared to those who share 5.9%. The study reveals that most customers are aware of the implications of having their information on websites. lxxxii
  83. 83. noyes Do you share your financial details in internet forums 50 40 30 20 10 0 Frequency Do you share your financial details in internet forums Source: Research Data (2011) 4.57 Training/Education When asked where they had been trained / educated on the importance of safeguarding personal information regarding bank details the customers responded as follows: Where have you been trained /educated on the importance of safeguarding personal information regarding bank details? Frequency Percent Valid Percent Cumulative Percent Valid media 3 5.9 5.9 5.9 bank 48 94.1 94.1 100.0 Total 51 100.0 100.0 Source: Research Data (2011) lxxxiii
  84. 84. The study shows that majority of the customers have been educated by the bank on the importance of safeguarding personal information 94.1% other have been educated through the media 5.9%. lxxxiv
  85. 85. CHAPTER 5 SUMMARY OF THE MAJOR FINDINGS STAFF RESPONSES 5.01 Section The studies revealed that majority of the staff at the Co-operative Kenyatta avenue branch are clerks that are 72%, 16% are supervisors while12% are in the management. 5.02 Duration worked with the Bank (Staff) The study reveals that 44% of the staff had worked between 1-2 years, 20 % between 3-5 years, 16% less than one year, 12% between 6-10 years and 8% above 10years. This shows that majority of the staff in the branch have less than 5 years in the bank. 5.03 Aspects of social engineering The study shows that

Alper_Aksu-Undergrad Design Project

Alper_Aksu-Undergrad Design Project

Documents
undergrad brochure.pdf

undergrad brochure.pdf

Documents
VIOLIN - Undergrad

VIOLIN - Undergrad

Documents
Undergrad Hb

Undergrad Hb

Documents
Undergrad Handbook

Undergrad Handbook

Documents
Michael Aldwin Junos MS EcE- Ateneo de Manila University my undergrad project

Michael Aldwin Junos MS EcE- Ateneo de Manila University my undergrad project

Documents
Resumes Undergrad

Resumes Undergrad

Documents
UNDERGRAD CERT

UNDERGRAD CERT

Documents
Undergrad education

Undergrad education

Education
Undergrad Portfolio

Undergrad Portfolio

Documents
undergrad final project

undergrad final project

Documents
Undergrad Prospectus

Undergrad Prospectus

Documents
Undergrad 2014

Undergrad 2014

Documents
UNDERGRAD TRANSCRIPT

UNDERGRAD TRANSCRIPT

Documents
Undergrad Manual

Undergrad Manual

Documents
Architecture undergrad

Architecture undergrad

Education
Electromagnetism (undergrad)

Electromagnetism (undergrad)

Documents
Undergrad Research

Undergrad Research

Science
Undergrad Dissertation

Undergrad Dissertation

Documents
Undergrad Works

Undergrad Works

Documents
Dissertation. Undergrad

Dissertation. Undergrad

Documents
Undergrad Presentation

Undergrad Presentation

Documents
Undergrad Presentation.Key

Undergrad Presentation.Key

Business
undergrad thesis

undergrad thesis

Documents
Eng Undergrad

Eng Undergrad

Documents
Undergrad Senior Project

Undergrad Senior Project

Documents
Undergrad -PF14

Undergrad -PF14

Documents
Abstracts (undergrad)

Abstracts (undergrad)

Education