Transcript Evolution of Security Standards in Indian Banking Industry

Evolution of Security Standards
in Indian Banking Industry
V.Radha
IDRBT
The chronology of events (1999-2004)
•
•
•
•
•
•
•
•
•
•
•
IDRBT set up INFINET
Hyperchat was the only application
Its VSAT based
Banks were using Novell based net applications
IP was enabled on INFINET and internal banks’ LAN could
be connected
MMS Launched
Novell was very late in bringing IP onto Netware. Today
there are no/few Novell app in Banking Industry.
IDRBT CA
SFMS
NEFT
NFS
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
2
First few threats and countermeasures
• Very low knowledge levels of Networks (Even IP
Addressing, Routing etc)
• Even Internet IP addresses that are generated from
DNS requests from browsers used to hit INFINET and
bring down the entire INFINET.
• Banks were guided to connect to INFINET through
routers with NAT, proxies, Firewalls etc
• MMS was hacked
• IS Audit was mandated
• CISA certifications were encouraged
• Internet Banking required RBI permission
• Training Programs on INFINET, Network Security, MMS
etc were launched
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
3
Recent Initiatives
• VAPT from Cert empanelled IS auditors
• IS Governance and IT Governance from IDRBT
• Gopala Krishna Committee Guidelines on
Security, Cybercrime etc
• PCI-DSS
• Mobile Banking Security Guidelines
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
4
Security
• Security Problems
– Man made
• Created by faulty design and implementation issues
– Phishing
– Spoofing etc
– Majority of attacks listed in OWASP
• Crossing lines of “not supposed to”
– Unauthorized Access
– Tampering Data
– Natural
• Identity Management
• AAA
• Secret Sharing etc
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
5
Solutions
• Strengthen the weak protocols, software, OS,
implementation etc
• Prevent security threats to manifest as much
as possible
• Monitor the events of crossing lines of “not
supposed to”
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
6
New thoughts
• Looked at phishing and solutions of anti-phishing
– Very less can be done from banks’ end on this
– Solutions like SPF has to be implemented by all across,
not just by banks.
– Domain Specific Passwords is a very good solution,
but has to be part of browsers
– Majority of the phishing techniques like domain name
look alike, URL redirection etc are taken care by
browsers
– Banks are asked to deploy adoptive authentication,
over and above 2 factor authentication (monitoring
solution)
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
7
Source Code Review
• As we see many vulnerabilities are due to bad
coding, we felt the need for mandating source
code review on application vendors. Also, we
observed that the product vendors like OS,
Database have framed their in house
frameworks for ensuring safe and secure
software.
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
8
Formal Methods
• New Payment Protocols
• Design Level Verification is must before
deploying the protocol
• New Privacy Issues in Mobile Telephony: Fix and
Verification by Ravishankar Borgaonkar et al
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
9
Data Privacy
• Some cases of corporate espionage
• Some banks setting up Data Governance
Groups
• Groups include HNI, Corporate Customers,
solution vendors along with banks CISO
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
10
Business Process Re-engineering
• Dematerialized Deposits
• Online Deposit verification
• Straight through Processing – Automated Data
Flow
• Online Lending Platforms
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
11
Education
• Most of the security problems thrown in the
courts of solution vendors (n/w, app etc)
• Banks can resolve them only if they are
knowledgeable
• Network Security, IS Audit, IS & IT
Governance, Secure Coding practices, Fraud
Detection and Monitoring etc help them equip
with latest know how.
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
12
Human Resources
• Banks are increasing the specialist technical
officers in Scale I and Scale II through campus
recruitment as well
• IDRBT Mtech IT with UOH, 100% placement
• We envisage that future generation of bank
employees would come up with new
innovations, appreciate the govt and regulatory
policies in taking benefits from technology, with
no or less resistance
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
13
Thank You
Friday, July 17, 2015
Institue for Development and Research in
Banking Technology
14