Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | apratim-bhaskar |
View: | 220 times |
Download: | 0 times |
of 53
8/13/2019 Info Sec Awareness@Dec7th12-Final
1/53
Information Security
Awareness
Information Security Group1
Information Security
Awareness
Risk Department, HO
8/13/2019 Info Sec Awareness@Dec7th12-Final
2/53
Information Security
Awareness
Information Security
Information
Information Systems
Protecting /Safeguarding
Malicious hackers
Employees
Outsourced Staffs Consultants, Suppliers & Customers
From
Information Security Group2
8/13/2019 Info Sec Awareness@Dec7th12-Final
3/53
Information Security
Awareness
Objective of Information Security.
Financial, Information and Reputation loss
Unfavorable Media Exposure
Fraud, Abuse & Lawsuits.
To ensure CIA of Information Systems & to avoid
Unauthorized Access & Hacking.
Salami Attack & DoS Attack
Virus / Worm Attack
Cyber Pornography
To Prevent Cyber crime
To comply with IT Act & RBI Guidelines.
Information Security Group 3
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
8/13/2019 Info Sec Awareness@Dec7th12-Final
4/53
Information Security
Awareness
Information Security Group 4
Implementation of Information Security.
The
InformationSecurity
responsibilitiesrests with
The Bank
The Employees
The Customers
Preparation of Information Security Policy & itsimplementation. Equip the Bank with bestinformation security practices in the Industry.Ensure CIA. Regulatory & Statutory compliance.Spreading Awareness. Security Certifications.
Employees ought to be aware, spread & follow theInformation Security Policy. Should be alert tonotice security incidents and report the same to ISG([email protected]).
Customer need to be aware of the risks associatedwith Alternate channels. Practice caution &precautions advised by the Bank.
8/13/2019 Info Sec Awareness@Dec7th12-Final
5/53
Information Security
Awareness
Information Security Group 5
Information Security- Bank Posture
Information Security PolicyApproved by Board of the Bank.
Adopt the best security practices in the Banking Industry
Layer 3 Data Center and DR Site Security Devices like FireWalls, IDS/IPS, Proxy Servers, Anti-virus,
Content-filters, DMZ, 24x7 monitoring & log analysis, Anti-Phishing,Hardening, Application testing, VA / PT etc.
Obtaining security standards like ISO27001, PCI-DSSetc.
Compliance with RBI & IT-Act security directives.
Spread awareness among employees & customers.
8/13/2019 Info Sec Awareness@Dec7th12-Final
6/53
Information Security
Awareness
Information Security Group 6
Where a body corporate, possessing, dealing orhandling any sensitive personal data in a computerresource which it owns/controls/operates,
is negligent in implementing and maintainingreasonable security practices and procedures,
and thereby causes wrongful loss or wrongful gainto any person,
such body corporate shall be liable to pay damagesby way of compensation to the person so affected.
IT ACT Sec 43 ACompensation for failure to protect data
8/13/2019 Info Sec Awareness@Dec7th12-Final
7/53
Information Security
Awareness
Save as otherwiseprovided in this Actor any other law for
the time being inforce, any person
including anintermediary who,
while providingservices under theterms of lawful
contract,
with the intent tocause or knowingthat he is likely to
cause wrongful loss
or wrongful gaindiscloses, withoutthe consent of the
person concerned,or in breach of alawful contract,such material to
any other person,
shall be punishedwith imprisonmentfor a term which
may extend to threeyears, or with fine
which may extendto five lakh rupees,or with both.
Information Security Group 7
IT ACT Sec 72 APunishment for disclosure of information in
breach of lawful contract.
8/13/2019 Info Sec Awareness@Dec7th12-Final
8/53
Information Security
Awareness
Information Security - Incidents
2007HSBC Bank fined 3.2 million by FinancialSecurity Authority (FSA UK) for losing details of
180,000 life insurance customers.
Reason : unencrypted floppy disk lost in the post.
2010- The virus Stuxnet targeted Irans nuclear
program, closing down the automation network at
the Natanz and Fordo facilities.
Reason : Email along with the virus was sent toscientists there.
Information Security Group 8
8/13/2019 Info Sec Awareness@Dec7th12-Final
9/53
Information Security
Awareness
Information Security - Incidents
Recent reports showed hackers earned $12.5 billion in 2011, mainly by passwordbreach and online frauds.
$171 millionSony
2011Sony Playstation Network suffers security breach. Up to 24 million users affectedand personal, billing and password security questions stolen. Sony expects to pay out $171million in new protection, welcome back, customer support programmes and legal cost.
$2.7 millionCitigroup
Hacked in June 2011, hackers exploited a basic online vulnerability and stole account informationfrom 200,000 clients. Because of the hacking, Citigroup said it lost $2.7 million.
Information Security Group 9
8/13/2019 Info Sec Awareness@Dec7th12-Final
10/53
Information Security
Awareness
Data theft incident
Information Security Group 10
8/13/2019 Info Sec Awareness@Dec7th12-Final
11/53
Information Security
Awareness
Practical aspects of Information Security
Passwords
Desktop Security
Alternate channels
Email / Internet
Information Security Group 11
8/13/2019 Info Sec Awareness@Dec7th12-Final
12/53
Information Security
Awareness
Information Security Group 12
Passwords
A password is a secret word or string of characters that is used
for authentication, to prove identity or gain access to a resource. It is your identity to a particular systemFinacle, Internet, e-
Mail, HR system, Desktop etc
Passwords are like bubblegum they are better when fresh
Passwords are like toothbrushes - they shouldnt be shared, andyou should get a new one regularly
8/13/2019 Info Sec Awareness@Dec7th12-Final
13/53
Information Security
Awareness
Information Security Group 13
You are only secure as the weakest link in your security chain
The weakest link in the security chain - Human.
Passwords (contd)
Only two things are Infinite,
the Universe & Human
stupidity, and Iam not sureabout the former
8/13/2019 Info Sec Awareness@Dec7th12-Final
14/53
Information Security
Awareness
Weak Passwords
Information Security Group 14
8/13/2019 Info Sec Awareness@Dec7th12-Final
15/53
Information Security
Awareness
Information Security Group 15
8/13/2019 Info Sec Awareness@Dec7th12-Final
16/53
Information Security
Awareness
Information Security Group 16
Shoulder Surfing
Bruteforce Attack
Dictionary Attack
Password Attacks
Applications limiting the no. of unsuccessful password attempts.
Be Cautious of people looking at your keyboard
Use combination of alphanumeric and special characters.
8/13/2019 Info Sec Awareness@Dec7th12-Final
17/53
Information Security
Awareness
Information Security Group 17
Sharing your Passwords
Sending
personal
information over
internet
Writing your Passwords on paper or
storing on hard disk
Using weak / Repeated / blank /
default passwords
How Passwords can be compromised
8/13/2019 Info Sec Awareness@Dec7th12-Final
18/53
Information Security
Awareness
Information Security Group 18
Password Policyfor employees &customers
Raisingawareness
amongemployees &customers
Password policy aspart of OShardening in servers
Employees forced tochange passwords incritical applications.
Customers forced tochange net-bankingpasswords & Virtualkeyboard on net-bankingsites.
PasswordsSteps taken by the Bank
8/13/2019 Info Sec Awareness@Dec7th12-Final
19/53
Information Security
Awareness
Information Security Group 19
PasswordsHow to make them Strong ?
Examples of strongpasswords
How to choose a very
strong password? -H2C@VsP or h2cAv5p?
No Frills AccountN0Fr!11$Ac
Time is a great healerT!$@G8hr
Chor Ki Dadi MeinTinkaCkD@d1mT
Make Passwordsstrong by using acombination of -
English lower-casealphabets (a,b,c)
English upper-casealphabets (A,B,C)
Arabic numerals (1,2,3)
Special characters (! # @
% $ *)
8/13/2019 Info Sec Awareness@Dec7th12-Final
20/53
Information Security
Awareness
Passwords - Incidents
8/13/2019 Info Sec Awareness@Dec7th12-Final
21/53
Information Security
Awareness
PasswordsDos & Donts Make strong passwords by a personally designed algorithm
for generating obscure passwords.
Passwords should be simple to remember & complex to break
Have different passwords for different systems / applications
Dont write your passwords anywhere (paper,bills, PC etc) Dont disclose your password to anyone (colleagues, friends)
Dont send you password or personal information via e-mail
Dont use default passwords
Dont configure your browser to remember your passwords
Disable the Finacle login when on leave for more than 2 days
Change your passwords often
Beware of shoulder surfing
8/13/2019 Info Sec Awareness@Dec7th12-Final
22/53
Information Security
Awareness
Information Security Group 22
Desktop Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
23/53
Information Security
Awareness
Information Security Group 23
Desktop Security
Have a boot-up & logon password & change them often.
Lock your desktop when you leave your desk for short span of time.
Don't keep your personal information or password in your PC.
Keep the important files as Password protected.
Ensure that anti-virus client is installed on your PC, and it is getting updated on a regular basis.
Never share full drive; Don't share folders/files on your PC; in case required, give user specific,read-only access; remove the sharing after use
Don't install any software, licensed or unlicensed other than those authorized by the Bank.
8/13/2019 Info Sec Awareness@Dec7th12-Final
24/53
Information Security
Awareness
Don't execute any suspicious / doubtful file attachments received through e-mail
Don't download any software / game from internet
Adhere to desktop policy of the Bank
Dont enable Remote desktop access / VNC / Net-meeting without password
Turn off your PC when you leave for the day
Restriction on use of USB / Pen drives
Dont let your computer become a Zombie
Report vulnerable computers to FMS Engineer / Help desk (39148061-64)
Information Security Group 24
Desktop Security
I f i S i
8/13/2019 Info Sec Awareness@Dec7th12-Final
25/53
Information Security
Awareness
Information Security Group 25
Viruses
I f ti S it
8/13/2019 Info Sec Awareness@Dec7th12-Final
26/53
Information Security
Awareness
Information Security Group 26
Viruses (Contd)
Malicious software: Viruses
Malicious code that are capable of inflicting a great deal of
damage and causing extensive frustration Stealing files containing personal information
Sending emails from your account
Rendering your computer unusable
Removing files from your computer
Source : Spams, websites, compromised Floppy/CD/DVD, Pen Drive, Games, Sharing of folders
I f ti S it
8/13/2019 Info Sec Awareness@Dec7th12-Final
27/53
Information Security
Awareness
Viruses - Incidents
The Telegraph, Friday 05 October 2012
(Topic: Cyber espionnage virus Target Lebanese banks)
Virus named Gauss after an apparent reference to a German mathematician
contained in its code, the virus has infected more that 2,500 computers,
mainly in Lebanon, according to the Russian security firm Kaspersky Lab. It is designed to spy on customers of the Lebanese banks BlomBank, ByblosBank andCredit Libanais, analysis showed.
Citibank and PayPal customers have also been targeted, Kaspersky Lab
said. Unlike the viruses used by criminals to commit online banking fraud,
Gauss targets a very specific set of institutions.
Information Security Group 27
I f ti S it
8/13/2019 Info Sec Awareness@Dec7th12-Final
28/53
Information Security
Awareness
Information Security Group 28
Computer runs more slowly than normal
It stops responding to locks up often
It crashes and restarts every few minutes
It restarts on its own and fails to run normally
Applications on your computer dont work correctly
Disks or disk drives are inaccessible
Documents are not printed correctly
Unusual error messages pop-up
Menus and dialog boxes appear distorted
Viruses - Symptoms
I f ti S it
8/13/2019 Info Sec Awareness@Dec7th12-Final
29/53
Information Security
Awareness
Information Security Group 29
Anti-virus software from TrendMicro deployed on allPCs
Suitable AV software put on all the servers
Regular virus pattern updations on PCs done centrally
AV scanning of mails at the mail gateway
Trend Micro support to deal with any virus breakout
Viruses (Steps taken by the Bank)
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
30/53
Information Security
Awareness
Information Security Group 30
Viruses (Employee Responsibility)
What you can do
Do not open attachment of suspicious e-mails
Do not share folders for writing
Use strong password if sharing is inevitable
Forward as attachment all suspicious e-mails to [email protected]
Check for the TrendMicro Anti-virus icon on the status-bar
OfficeScan client should be installed, up and running with latest virus pattern updates
Contact FMS Engineer or Shri Santan Lobo of IIL, 022-39148119,[email protected] for Anti-Virus
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
31/53
Information Security
Awareness
Information Security Group 31
USB / Pen DriveRiskVirusesUSB drives are chief mode by which the corporate PCs get infected withviruses
Malicious softwareUnauthorized software like shareware programs, softwarepranks and video clippings etc could be brought in the USB drive
Data theftDisgruntled employees can steal data
Data LossThe portability of these USB Flash Drives adds to the potential forlost data that could fall into the wrong hands
USB port / drive enabled (on request & undertaking) only on
2 PCs (of Branch Head & SOM) in each branch. 2 more PCs for ECCS purpose, if required.
PCs of all Officers of the grade DGM & above at branches
PCs of all Officers of the grade AGM & above at Head Office
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
32/53
Information Security
Awareness
Information Security Group 32
Phishing
Definition:
Phishing involvesfraudulently acquiring
sensitive information (e.g.passwords, credit card
details, mobile nos. etc) bymasquerading as a trusted
entity.
TheScenario:
The victim receives an emailthat appears to have been
sent from his bank.
The victim believes the web page to be authenticand he enters his username, password and other
information. In reality, the website is fake and thevictims information is stolen and misused.
Vishing:
phishing overvoice.
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
33/53
Information Security
Awareness
Phishing Incidents
Information Security Group 33
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
34/53
Information Security
Awareness
Information Security Group 34
Phishing Incidents
Fake URL & without https:// protocol
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
35/53
Information Security
Awareness
Information Security Group 35
Fake URL & without https:// protocol
Phishing Incidents
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
36/53
Information Security
Awareness
Information Security Group 36
Phishing Incidents
Credentials got compromised.
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
37/53
Information Security
Awareness
Information Security Group 37
Phishing Incidents
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
38/53
Information Security
Awareness
Information Security Group 38
Phishing Incidents
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
39/53
Information Security
Awareness
Information Security Group 39
Lock is missing
How to Recognize ?
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
40/53
Information Security
Awareness
Top phishing hosting countries (Oct 2012)
Information Security Group 40
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
41/53
Information Security
Awareness
Information Security Group 41
Guidelines as per RBI circular on Prevention of Phishing attacks Raising awareness ofcustomers followed.
Detection of phishing sites and take down through MSS vendor.
Flyers with Dos & Donts sent to educate / caution customers periodically.
Different login and transaction passwords mandatory.
One Time Password (OTP) / Unique Registration Number (URN)/Online Shoppingpassword(OSP) sent to mobile during Payee addition for fund transfer.
SMS alerts sent when new payee added or account debited.
Intra-day debit limit.
Transaction access if not used for 3 months is disabled .
Virtual keyboard to counter key logging software.
Multifactor authentication being evaluated.
PhishingSteps taken by the Bank
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
42/53
y
Awareness
Information Security Group 42
Internet Banking-Incident
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
43/53
y
Awareness
Information Security Group 43
Internet Banking Security Inactive sessions get terminated automatically Login / transaction locked on multiple unsuccessful login attempts
Separate passwords for login and transaction
OTP/URN/OSP sent to mobile during Payee addition for fund transfer
SMS / email alerts on account debit
Virtual key-pad for login
SSLhttpssecure access protocols
Password mailed separately using special printing
Password not stored in plain text.
Mandatory password change every 180 days
Limiting amount of transfers in a day
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
44/53
y
Awareness
Information Security Group44
Get aware of the Risks associated with netBanking transactions
Make strong passwords, keep them secret & change them often
Register your Mobile number with us and get SMS Alerts to keep track of high value card & net bankingtransactions in your account
Avoid doing net banking transactions from Cyber Cafes as they are likely to have key loggers
Use the Virtual Keypad to enter password for enhanced security
Keep your PC secure by using FW and AV software
Be aware of phishing and take adequate precautions
InetBankingCustomer Awareness
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
45/53
y
Awareness
Information Security Group45
Physical AttackSteal cash from vaults, vandalism
Card CloningCounterfeit card created from skimmed data
Skimming Device
ATMSecurity Threats
Keyboard OverlayFalse keypad used to record PIN
Card TrappingTrap the card in the ATM slot
Install spy camera to record PIN entry
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
46/53
y
Awareness
ATMSecurity Incidents
Information Security Group46
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
47/53
Awareness
Information Security Group47
Info. Security in ATMs
Security personnel to avert physical attack on ATM
ATM Magnetic Stripe Card
Pin Mailed Separately using special printing
Pin not stored in plain text in database
Encrypting Pin Pad
Limiting withdrawal amount in a day
Card captured on repeated input of wrong passwords
Cards and pins destroyed if undelivered for long time Camera /storage of video footage
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
48/53
Awareness
Information Security Group48
Spam e-Mails - Unsolicited bulk emails
Spoofing - Masquerading sender address & email header
Phishing e-Mails
Viruses
Worms
Trojans Spywares
Malwares
Malicious E-Mail Attachments
e-Mails - Risks
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
49/53
Awareness
Information Security Group49
e-Mail Guidelines
HR Circular No. IDBIBank/2009-10/247/HR/HR-61
on misuse of official mailfacility.
Email has become officialmode of communication and
hence be used only forBusiness purpose.
NO to exchange ofviews/comments/opinions on
unofficial issues.
NO Bulletin Board,Newsgroups.
User responsible for misuse.Password protect and not
share it with anyone.
Emails are Bank property
and can be interceptedwithout specific intimation.
All emails are archived for 7years.
Dont open spam andsuspicious mail attachments.
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
50/53
Awareness
Information Security Group50
Internet Access
Surfing the web islike swimming with sharks
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
51/53
Awareness
Information Security Group51
Internet Access (Contd)
Business purpose only
Dont share password
No to download games, freeware, shareware
All internet access are Logged and Reviewed by ISG
No to access Porn material
USB based modems prohibited
Branch Heads, SOMs and AGMs & above provided internet access on request
Recommendation of CGM / Vertical Head for grade A and B.
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
52/53
Awareness
Information Security Group52
Security Incident Reporting
Be Alert and report incidents
Types of Incident
Hacking Attempt Disclosure of Confidential/Sensitive Information
Hardware/IT asset Theft
Virus incident
Malfunctioning of IT equipment leading to unavailability ofinformation resources
Report Incidents to ISG ([email protected])
Information Security
8/13/2019 Info Sec Awareness@Dec7th12-Final
53/53
Awareness
53
Thank You