Embed Size (px)
DESCRIPTION
Security in Banking. Emmanuel van de Geer Senior Architect Governance, Risk, Compliance and Security Standard Chartered Bank. Why Is Information Security Different in Banking My Career in Banking Security What Banks Worry About Zeus and SpyEye Deep Dive. What are we covering. - PowerPoint PPT Presentation
Citation preview
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Security in Banking
Emmanuel van de Geer
Senior Architect
Governance, Risk, Compliance and Security
Standard Chartered Bank
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
What are we covering
Why Is Information Security Different in Banking
My Career in Banking Security
What Banks Worry About
Zeus and SpyEye Deep Dive.
Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.
Criminals want to steal from BanksBanks succeed because customers trust them with their money
Why is Information Security in Banking Different?
Suttons Law
“That’s where the money is”
Cisco Confidential 4© 2010 Cisco and/or its affiliates. All rights reserved.
Why is Information Security in Banking Different?
Customers need to know that Banks are safe and secure
This isn’t just to do with Information Security.It’s about how a Bank is run.
Here For GoodStandard Chartered Bank
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5Cisco Confidential 5Cisco Confidential 5© 2010 Cisco and/or its affiliates. All rights reserved.
This is one reason why Information Security in Banks is different from other industries
Information Security isn’t a technology problem, it is a business asset.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6Cisco Confidential 6Cisco Confidential 6© 2010 Cisco and/or its affiliates. All rights reserved.
Another reason why information security is different in Banking:
Follow the Money
Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved.
Risk Management in Banking
How Banks Work& Why Risk Is Important
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.
How Banks Work
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved.
Risk Management in Banks
This process of reserving money is called “Capital Allocation”
Where the amount is dependant on your level of risk.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved.
Operational Risk
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
The more risk a Bank has the more money it has to reserve, The more money the Bank reserves the less it can invest
The less it can make the less it can pay
The less it invests the less it can make
The less it pays, the less customers it will have
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco Confidential 12Cisco Confidential 12© 2010 Cisco and/or its affiliates. All rights reserved.
Risk management and information security are factors that determine how competitive and successful a Bank is.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13Cisco Confidential 13Cisco Confidential 13© 2010 Cisco and/or its affiliates. All rights reserved.
In the Banking industry, security isn’t just about the technology, rather, it is integrated with Risk Management, Compliance and Fraud. This combined space is called GRC
Cisco Confidential 14© 2010 Cisco and/or its affiliates. All rights reserved.
It wasn’t always like this.
In 2000, online fraud was unheard of.Now it costs banks 60M in the USA alone.
Cisco Confidential 15© 2010 Cisco and/or its affiliates. All rights reserved.
History of My Career
& what a career in security can mean for you.
Cisco Confidential 16© 2010 Cisco and/or its affiliates. All rights reserved.
In 2000 I started my career in Information Security as a firewall engineer.
Today, I design systems that prevent and detect everything from hackers to money laundering.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Major Events
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18Cisco Confidential 18Cisco Confidential 18© 2010 Cisco and/or its affiliates. All rights reserved.
As the threats of theft and fraud have increased, so has the role of Information Security professionals.
Cisco Confidential 19© 2010 Cisco and/or its affiliates. All rights reserved.
So what are Banks concerned about?
Online FraudThe Insider ThreatCards and TransactionsDenial of ServiceData LeakageTrading Fraud Payments ProcessingInformation Theft
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
DoS: why, who and what?Motivation: who is it and why do they do it?
Geopolitical- Government affiliated- NGO- Militant
Hacktivism – Crowd Sourced- Anonymous
- LulzSec- Occupy
Extortion/financial gain - Criminals
Targets: what do they target
Asia (MY, KR, TW, CH)US GovIsrael, Palestine
Banks in BrazilCIABank of America
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
2011 DDoS
Cisco Confidential 22© 2010 Cisco and/or its affiliates. All rights reserved.
Online Fraud
Zeus and SpyEye
Cisco Confidential 23© 2010 Cisco and/or its affiliates. All rights reserved.
Zeus and SpyEye Impacts
Cisco Confidential 24© 2010 Cisco and/or its affiliates. All rights reserved.
Looks bad
But how bad is it?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Zeus and SpyEye Impacts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
What can Zeus / SpyEye Do?
First How Internet Banking Is Supposed to WorkSo What Is Different In The Malware Scenario
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Zeus and SpyEye Footprint
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Being in the browser context gives Zeus and SpyEye some sophisticated capabilities.
IT means that criminals can impersonate the customer to the Bank, and the Banks to the customer to near perfection
What can Zeus / SpyEye Do?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
What can Zeus / SpyEye Do?
During Login
Post Login / During TransactionsPost Transaction
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
What can Zeus / SpyEye Do?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Next Generation
The attacks described so far are controllable by most Banks
But Criminals are not giving up
They have started on the next generation of Malware ….
MitMo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Next Generation
MitMo, or Man in the Mobile is SpyEye / Zeus for Mobile Phones.
With most Banks reliant on SMS OTP, this will be the next battle ground for Online Fraud.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Prediction:
SMS OTP is dead.But What is next ….
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34Cisco Confidential 34Cisco Confidential 34© 2010 Cisco and/or its affiliates. All rights reserved.
RecapInformation in Banking:-People Steal Money, Money lives in Banks.-People Trust Banks & Reputation is key.-Fraud and Risk impact Bank profitability.
Information Security is a business problem for Banks.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35Cisco Confidential 35Cisco Confidential 35© 2010 Cisco and/or its affiliates. All rights reserved.
Recap
Online Fraud- Steadily increasing- Some way to go compared to other fraud activity
Prediction:-Mobile Security will get worse-The end of SMS OTP
![The Internet Banking [in]Security Spiral · The Internet Banking [in]Security Spiral Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study](https://img.dokumen.tips/doc/110x75/5f65dd9dfa2983446d6ce744/the-internet-banking-insecurity-spiral-the-internet-banking-insecurity-spiral.jpg)
