Security in Banking

Post on 10-Jan-2016

64 views 2 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Security in Banking. Emmanuel van de Geer Senior Architect Governance, Risk, Compliance and Security Standard Chartered Bank. Why Is Information Security Different in Banking My Career in Banking Security What Banks Worry About Zeus and SpyEye Deep Dive. What are we covering. - PowerPoint PPT Presentation

transcript

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Security in Banking

Emmanuel van de Geer

Senior Architect

Governance, Risk, Compliance and Security

Standard Chartered Bank

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.

What are we covering

Why Is Information Security Different in Banking

My Career in Banking Security

What Banks Worry About

Zeus and SpyEye Deep Dive.

Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.

Criminals want to steal from BanksBanks succeed because customers trust them with their money

Why is Information Security in Banking Different?

Suttons Law

“That’s where the money is”

Cisco Confidential 4© 2010 Cisco and/or its affiliates. All rights reserved.

Why is Information Security in Banking Different?

Customers need to know that Banks are safe and secure

This isn’t just to do with Information Security.It’s about how a Bank is run.

Here For GoodStandard Chartered Bank

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5Cisco Confidential 5Cisco Confidential 5© 2010 Cisco and/or its affiliates. All rights reserved.

This is one reason why Information Security in Banks is different from other industries

Information Security isn’t a technology problem, it is a business asset.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6Cisco Confidential 6Cisco Confidential 6© 2010 Cisco and/or its affiliates. All rights reserved.

Another reason why information security is different in Banking:

Follow the Money

Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved.

Risk Management in Banking

How Banks Work& Why Risk Is Important

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.

How Banks Work

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved.

Risk Management in Banks

This process of reserving money is called “Capital Allocation”

Where the amount is dependant on your level of risk.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Cisco Confidential 10© 2010 Cisco and/or its affiliates. All rights reserved.

Operational Risk

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

The more risk a Bank has the more money it has to reserve, The more money the Bank reserves the less it can invest

The less it can make the less it can pay

The less it invests the less it can make

The less it pays, the less customers it will have

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco Confidential 12Cisco Confidential 12© 2010 Cisco and/or its affiliates. All rights reserved.

Risk management and information security are factors that determine how competitive and successful a Bank is.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13Cisco Confidential 13Cisco Confidential 13© 2010 Cisco and/or its affiliates. All rights reserved.

In the Banking industry, security isn’t just about the technology, rather, it is integrated with Risk Management, Compliance and Fraud. This combined space is called GRC

Cisco Confidential 14© 2010 Cisco and/or its affiliates. All rights reserved.

It wasn’t always like this.

In 2000, online fraud was unheard of.Now it costs banks 60M in the USA alone.

Cisco Confidential 15© 2010 Cisco and/or its affiliates. All rights reserved.

History of My Career

& what a career in security can mean for you.

Cisco Confidential 16© 2010 Cisco and/or its affiliates. All rights reserved.

In 2000 I started my career in Information Security as a firewall engineer.

Today, I design systems that prevent and detect everything from hackers to money laundering.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Major Events

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18Cisco Confidential 18Cisco Confidential 18© 2010 Cisco and/or its affiliates. All rights reserved.

As the threats of theft and fraud have increased, so has the role of Information Security professionals.

Cisco Confidential 19© 2010 Cisco and/or its affiliates. All rights reserved.

So what are Banks concerned about?

Online FraudThe Insider ThreatCards and TransactionsDenial of ServiceData LeakageTrading Fraud Payments ProcessingInformation Theft

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

DoS: why, who and what?Motivation: who is it and why do they do it?

Geopolitical- Government affiliated- NGO- Militant

Hacktivism – Crowd Sourced- Anonymous

- LulzSec- Occupy

Extortion/financial gain - Criminals

Targets: what do they target

Asia (MY, KR, TW, CH)US GovIsrael, Palestine

Banks in BrazilCIABank of America

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

2011 DDoS

Cisco Confidential 22© 2010 Cisco and/or its affiliates. All rights reserved.

Online Fraud

Zeus and SpyEye

Cisco Confidential 23© 2010 Cisco and/or its affiliates. All rights reserved.

Zeus and SpyEye Impacts

Cisco Confidential 24© 2010 Cisco and/or its affiliates. All rights reserved.

Looks bad

But how bad is it?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Zeus and SpyEye Impacts

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

What can Zeus / SpyEye Do?

First How Internet Banking Is Supposed to WorkSo What Is Different In The Malware Scenario

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Zeus and SpyEye Footprint

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Being in the browser context gives Zeus and SpyEye some sophisticated capabilities.

IT means that criminals can impersonate the customer to the Bank, and the Banks to the customer to near perfection

What can Zeus / SpyEye Do?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

What can Zeus / SpyEye Do?

During Login

Post Login / During TransactionsPost Transaction

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

What can Zeus / SpyEye Do?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

Next Generation

The attacks described so far are controllable by most Banks

But Criminals are not giving up

They have started on the next generation of Malware ….

MitMo

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

Next Generation

MitMo, or Man in the Mobile is SpyEye / Zeus for Mobile Phones.

With most Banks reliant on SMS OTP, this will be the next battle ground for Online Fraud.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

Prediction:

SMS OTP is dead.But What is next ….

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34Cisco Confidential 34Cisco Confidential 34© 2010 Cisco and/or its affiliates. All rights reserved.

RecapInformation in Banking:-People Steal Money, Money lives in Banks.-People Trust Banks & Reputation is key.-Fraud and Risk impact Bank profitability.

Information Security is a business problem for Banks.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35Cisco Confidential 35Cisco Confidential 35© 2010 Cisco and/or its affiliates. All rights reserved.

Recap

Online Fraud- Steadily increasing- Some way to go compared to other fraud activity

Prediction:-Mobile Security will get worse-The end of SMS OTP

Top related

Evaluating Security Provisions in Banking Software Systems
Documents
Cyberoam Complete Network Security for Banks. Cyberoam for Security in Banks Dimensions of Banking Security Cyberoam Solution User Identity in Security.
Documents
Biometrics in Banking Security a Case Study
Documents
Security in mobile banking
Documents
Internet Banking Security Guideline Model for Banking in ...ibimapublishing.com/articles/CIBIMA/2011/787725/787725.pdf · embedded in the token stores countless sets of security code,
Documents
State of Mobile Security in Banking Whitepaper SyniverseV2docs.bankinfosecurity.com/files/whitepapers/pdf/... · The State of Mobile Security in Banking and Financial Transactions
Documents
SECURITY SERVICES – ONLINE BANKING
Documents
Security Concern in Mobile Banking
Documents
banking-security-india Documentation
Documents
Security Issues in Branchless Bankingprecog.iiitd.edu.in/teaching/cse501_spring2014/lectures/Security... · Security Issues in Branchless Banking Saurabh Panjwani Collaborators: Edward
Documents
Banking Security: Attacks and Defences - UCLsec.cs.ucl.ac.uk/users/smurdoch/talks/owasp13bankingsecurity.pdf · Banking Security: Attacks and Defences ... Online banking Cheque fraud
Documents
Open Banking · 3 Open Banking Security Standards 9 3.1 API Security Practice for Participants 9 3.2 The Open Banking Implementation Entity’s Approach to Security 14 4 Open Banking
Documents
Security Considerations in e Banking
Documents
Security in mobile banking apps
Documents
E banking & security
Internet
Internship Report On “General Banking Activities in First Security ...
Documents
Oracle Banking APIs Security Guide Banking API… · Oracle Banking APIs Security Guide Release 19.1.0.0.0 Part No. F18559-01 May 2019
Documents
Implementing the Application of Online Banking Security System in India by Comparing Existing Advanced Features in Online Banking Security in UK Based Banks.
Documents
Information Security Management in Palestinian Banking By ... Muhsen.pdf · Information Security Management in Palestinian Banking By Abdellateef Lutfi Muhsen Supervisor Dr. Fady
Documents
The State of Security of Android Banking Apps in Poland · Tomasz Zieliński Android Security Symposium 2017, Vienna 09.03.2017 The State of Security of Android Banking Apps in Poland
Documents

Copyright © 2018 DOCUMENTS