Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Evolution of Security Standards in Indian Banking Industry V.Radha IDRBT The chronology of events (1999-2004) • • • • • • • • • • • IDRBT set up INFINET Hyperchat was the only application Its VSAT based Banks were using Novell based net applications IP was enabled on INFINET and internal banks’ LAN could be connected MMS Launched Novell was very late in bringing IP onto Netware. Today there are no/few Novell app in Banking Industry. IDRBT CA SFMS NEFT NFS Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 2 First few threats and countermeasures • Very low knowledge levels of Networks (Even IP Addressing, Routing etc) • Even Internet IP addresses that are generated from DNS requests from browsers used to hit INFINET and bring down the entire INFINET. • Banks were guided to connect to INFINET through routers with NAT, proxies, Firewalls etc • MMS was hacked • IS Audit was mandated • CISA certifications were encouraged • Internet Banking required RBI permission • Training Programs on INFINET, Network Security, MMS etc were launched Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 3 Recent Initiatives • VAPT from Cert empanelled IS auditors • IS Governance and IT Governance from IDRBT • Gopala Krishna Committee Guidelines on Security, Cybercrime etc • PCI-DSS • Mobile Banking Security Guidelines Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 4 Security • Security Problems – Man made • Created by faulty design and implementation issues – Phishing – Spoofing etc – Majority of attacks listed in OWASP • Crossing lines of “not supposed to” – Unauthorized Access – Tampering Data – Natural • Identity Management • AAA • Secret Sharing etc Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 5 Solutions • Strengthen the weak protocols, software, OS, implementation etc • Prevent security threats to manifest as much as possible • Monitor the events of crossing lines of “not supposed to” Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 6 New thoughts • Looked at phishing and solutions of anti-phishing – Very less can be done from banks’ end on this – Solutions like SPF has to be implemented by all across, not just by banks. – Domain Specific Passwords is a very good solution, but has to be part of browsers – Majority of the phishing techniques like domain name look alike, URL redirection etc are taken care by browsers – Banks are asked to deploy adoptive authentication, over and above 2 factor authentication (monitoring solution) Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 7 Source Code Review • As we see many vulnerabilities are due to bad coding, we felt the need for mandating source code review on application vendors. Also, we observed that the product vendors like OS, Database have framed their in house frameworks for ensuring safe and secure software. Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 8 Formal Methods • New Payment Protocols • Design Level Verification is must before deploying the protocol • New Privacy Issues in Mobile Telephony: Fix and Verification by Ravishankar Borgaonkar et al Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 9 Data Privacy • Some cases of corporate espionage • Some banks setting up Data Governance Groups • Groups include HNI, Corporate Customers, solution vendors along with banks CISO Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 10 Business Process Re-engineering • Dematerialized Deposits • Online Deposit verification • Straight through Processing – Automated Data Flow • Online Lending Platforms Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 11 Education • Most of the security problems thrown in the courts of solution vendors (n/w, app etc) • Banks can resolve them only if they are knowledgeable • Network Security, IS Audit, IS & IT Governance, Secure Coding practices, Fraud Detection and Monitoring etc help them equip with latest know how. Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 12 Human Resources • Banks are increasing the specialist technical officers in Scale I and Scale II through campus recruitment as well • IDRBT Mtech IT with UOH, 100% placement • We envisage that future generation of bank employees would come up with new innovations, appreciate the govt and regulatory policies in taking benefits from technology, with no or less resistance Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 13 Thank You Thursday, May 25, 2017 Institue for Development and Research in Banking Technology 14