• Security issues are a major source of concern for everyone both inside and outside
the banking industry. E-banking increases security risks, potentially exposing
isolated systems to open and risky environments. Banks need to be proactive in
monitoring and managing the security threat.
• Computer Security is never absolute, that is any computer system can never be
100% secured. The determined and persistent attacker can find a way to defeat or
bypass almost any security measure. Network/Computer security is a means of
reducing vulnerabilities and managing risk.
• Security awareness will teach people not to disclose sensitive information such
as password and file names.
Week 3 1
3.1 Different types of threats
• External - These threats generally comes from outside (Internet) the organization
or the LAN. Example: A computer virus in the file attachment in e-mails or a paid
hacker engaged in industrial espionage.
• Intelligence challenge
• Cause harm to an organization
• Monetary and other frauds
• Unfair competitiveness
• Access to privacy
• Non-malicious threats are threats that are caused non-intentionally by users of the
computer system. Misuse of applications or wrong manipulations of hardware
devices can engender problems for the well functioning of computer systems. For
example, imagine a user working directly on a file found in a diskette who
suddenly removes the diskette without properly closing the file.
Week 3 2
3.2 Basic Security Issues
o How can the user be sure that the Web server (where e-banking web pages
reside) is owned and operated by a legitimate company?
o How does the user know that the Web page and form do not contain some
malicious or dangerous code or content?
o How does the user know that the owner of the Web site will not distribute
the information the user provides to some other party?
o How does the company know the user will not attempt to break into the
Web server or alter the pages and content at the site?
o How does the company know that the user will not try to disrupt the server
so that it is not available to others?
o How do both parties know that the network connection is free from
eavesdropping by a third party “listening” on the line?
o How do they know that the information sent back-and-forth between the
server and the user’s browser has not been altered?
Week 3 3
3.2.1 Authentication & Authorisation
• Authentication
o The process by which one entity verifies that another entity is who he, she,
or it claims to be.
• Authorisation
o The process that ensures that a person has the right to access certain
resources.
• Access Control
Access controls are mechanisms to control the access to the system and its
facilities by a given user up to the extent necessary to perform his job
function.
Week 3 4
2. It goes hand in hand with authentication. In establishing a link between a
bank’s internal network and the Internet, a number of additional access points
into the internal operational system might be created.
3. Attempts to overload the system using Ddos (Distributed Denial of Service &
DoS (Denial of Service) attacks.
3.2.2 Auditing
• A log file keeps information for every attempt to access a web page, data in a
database.
• Audits provide a means to reconstruct any action that were taken, and identify the
author.
Week 3 5
3.2.3 Data Confidentiality
• It is intertwined with the notion of data privacy, which is now a regulatory issue
in many countries.
o Human error
o Intentional tampering
o Catastrophic events
• Failure to protect the correctness of data may render data useless, or worse,
dangerous.
• Efforts must be made to ensure the accuracy and soundness of data at all times.
Methods to ensure data integrity are: Access control, Encryption, Digital
signatures.
Week 3 6
3.2.5 Non Repudiation
• The ability to limit parties from refuting that a legitimate transaction took place.
(usually by means of a signature)
Figure 1 below depicts some the major components in any electronic application and indicates
where the above security issues come into play.
Week 3 7
3.2.6 Backup, Recovery & Business Continuity
• Banks should also have, well documented and tested business continuity plans
that address all aspects of the bank’s business.
• The frequency of back up should depend on the recovery needs of the application.
Online/real time systems require frequent backups within a day.
Non-technical Attacks
• An attack in that uses certain tricks to involve people into revealing sensitive
information or performing actions that compromise the security of a network.
Week 3 8
• The Following approach should be used to combat social engineering
o Education and training
o Policies and procedures
o Penetration testing (test individual staff by outside experts in diff.
situations)
Technical attacks
• An attack perpetrated using software and systems knowledge or expertise.
(Several tools are available over the Internet that enable a hacker to expose a
system’s vulnerabilities.)
• ( February 2000, Amazon.com, CNN.com, eBay, Yahoo and other well known
web sites were flooded with so many requests that legitimate traffic was virtually
halted. January 2001, various Microsoft web sites experienced the same problem
– msn, msnbc, Expedia, Hotmail, etc.)
Week 3 9
Malicious code (Malware): Virus, Worm, Trojan Horses
Virus
• A piece of software code that inserts itself into a host, including the operating
systems, in order to propagate; it requires that its host program be run to activate
it.
Worm
• A software program that runs independently, consuming the resources of its host
in order to maintain itself, that is capable of propagating a complete working
version of itself onto another machine.
Trojan Horse
• A program that appears to have a useful function but contains a hidden function
that presents a security risk. (Trojan horse – from Greek mythology, during the
battle of Troy)
As the number of attacks increases, the following trends in malicious code are emerging:
• Increased speed and volume of attacks:
• Reduced time between the discovery of a vulnerability and the release of an attack
to exploit the vulnerability.
• E-commerce is the most frequently targeted industry.
• Attacks against Web application technologies are increasing.
• A large percent of Fortune 100 companies have been compromised by worms.
Week 3 10