IRM Banking Final - Doc

Information Risk Management
Information Risk
Management
Semester I
Assignment - II
Symbiosis Centre for Information Technology,

Pune
MBA ITBM 201315
Banking
systems
Submitted By: Group 2
1
Risk Assessment Report Banking Systems
Information Risk Management
2
TABLE OF CONTENTS
INTRODUCTION
IT SYSTEM CHARACTERIZATION
RISK IDENTIFICATION
CONTROL ANALYSIS
RISK LIKELIHOOD DETERMINATION
RISK IMPACT ANALYSIS
OVERALL RISK DETERMINATION
RECOMMENDATIONS
RESULTS DOCUMENTATION
3
4
7
10
18
21
23
26
29
LIST OF EXHIBITS
EXHIBIT 1: RISK ASSESSMENT MATRIX
23
LIST OF FIGURES
FIGURE 1 CORE BANKING SYSTEM
FIGURE 2 ONLINE BANKING SYSTEM
5
6
1. Introduction
A risk assessment is a process by which to determine what information resources exist that
require protection, and to understand and document potential risks from IT security failures that
may cause loss of information confidentiality, integrity, or availability. The purpose of a risk
assessment is to help management create appropriate strategies and controls for stewardship of
information assets.
Risk Assessment Partners:
Gaurav Sodani
Jayesh Singhal
Kuldeep Choudhary
Rohit Gedam
Vivek Pinnamaneni
Risk classification used is as follows:
1. High: The loss of confidentiality, integrity, or availability could be expected to have a
severe or catastrophic adverse effect on organizational operations, organizational assets,
or individuals.
2. Moderate: The loss of confidentiality, integrity, or availability could be expected to
have a serious adverse effect on organizational operations, organizational assets, or
individuals.
3. Low: The loss of confidentiality, integrity, or availability could be expected to have a
limited adverse effect on organizational operations, organizational assets, or individuals.
1. IT System Characterization
In assessing risks for an IT system, the first step is to define the scope of the effort. In this step,
the boundaries of the IT system are identified, along with the resources and the information that
constitute the system. Characterizing a banking sector system establishes the scope of the risk
assessment effort, delineates the operational authorization (or accreditation) boundaries, and
provides information (e.g., hardware, software, system connectivity, and responsible division
or support personnel) essential to defining the risk.
The overall banking sector system comprises of following systems like core banking system
which has banking payment system and banking infrastructure system, Online banking
system , mobile banking system etc. Hence while writing a risk assessment report it is essential
to consider all of the above system to get a complete overview of risk identified and
precautions used to mitigate the risk.
Banking Sector Systems Definition Document

System Identification and Ownership
IT System ID: CBS001, OBS002
IT System Common Name: Core Banking System, Online Banking System.
Major Business Function:
Banks act as payment agents by conducting checking or current accounts for customers,
paying checks drawn by customers on the bank, and collecting checks deposited to
customers' current accounts. Banks also enable customer payments via other payment
methods such as Automated Clearing House (ACH), Wire transfers or telegraphic
transfer, EFTPOS, and automated teller machine (ATM).
Banks provide different payment services, and a bank account is considered
indispensable by most businesses and individuals. Non-banks that provide payment
services such as remittance companies are normally not considered as an adequate
substitute for a bank account.
Banks lend money by making advances to customers on current accounts, by making
installment loans, and by investing in marketable debt securities and other forms of
money lending.
System Description:
CORE BANKING SYSTEM
Core Banking is normally defined as the business conducted by a banking institution with
its retail and small business customers.
Many banks treat the retail customers as their core banking customers, and have a
separate line of business to manage small businesses.
Core banking basically is depositing and lending of money.
CORE stands for "centralized online real-time environment".
This basically means that the entire bank's branches access applications from
centralized data centers.
This means that the deposits made are reflected immediately on the bank's servers and
the customer can withdraw the deposited money from any of the bank's branches
throughout the world.
These applications now also have the capability to address the needs of corporate
customers, providing a comprehensive banking solution.
Core banking solutions are advancement in technology, especially Internet and
information technology has led to new ways of doing business in banking.
These technologies have cut down time, working simultaneously on different issues and
increasing efficiency.
The platform where communication technology and information technology are merged
to suit core needs of banking is known as core banking solutions. Here, computer
software is developed to perform core operations of banking like recording of
transactions, passbook maintenance, and interest calculations on loans and deposits,
customer records, balance of payments and withdrawal.
This software is installed at different branches of bank and then interconnected by means
of communication lines like telephones, satellite, internet etc.
It allows the user (customers) to operate accounts from any branch if it has installed core
banking solutions. This new platform has changed the way banks are working.
ONLINE BANKING SYSTEM
Online banking (or Internet banking or E-banking) allows customers of a financial

institution to conduct financial transactions on a secure website operated by the
institution, which can be a retail or virtual bank, credit union or building society.
It may include of any transactions related to online usage
To access a financial institution's online banking facility, a customer having personal
Internet access must register with the institution for the service, and set up some
password (under various names) for customer verification.
The password for online banking is normally not the same as for telephone banking.
Financial institutions now routinely allocate customer numbers (also under various
names), whether or not customers intend to access their online banking facility. Customer
numbers are normally not the same as account numbers, because a number of accounts
can be linked to the one customer number.
The customer will link to the customer number any of those accounts which the customer
controls, which may be cheque, savings, loan, credit card and other accounts.
To access online banking, the customer would go to the financial institution's website,
and enter the online banking facility using the customer number and password.
Some financial institutions have set up additional security steps for access, but there is
no consistency to the approach adopted.
3. Risk Identification
3.1 Identification of Vulnerabilities
Vulnerabilities for banking systems were identified by:
Interviews with the Banking System Owner, Data Owner, and Operational and technical support
staff of the IT Department of the Bank.
Use of the automated tool OWASP, The Vulnerability Scanning Tool.
Review of vulnerabilities identified in the previous Risk Assessment.
3.2 Identification of Credible Threats
Credible threats to the Banking System were identified by:
Use of the automated OWASP tool to identify threats to the Banking System.
Consulting the previous Risk Assessment and analyzing how the Banking System
threat environment has changed from the previous Risk Assessment.
Interviewing the Banking System Owner, Data Owner, and System Administrators to gather
information about system-specific threats to the Banking System
Table C: Credible Threats Identified for the Banking System

Use Workplace Violence
Earthquakes
Vandalism and/or Rioting
Computer Crime
Electromagnetic Interference
Pandemic
Blackmail
Fire (Major or Minor)
Power Loss
Bomb Threats
Hurricanes
Loss of Key Personnel

Communication Failure
Human Error
Unauthorized Access or Use
Fraud/Embezzlement
Terrorism
Hardware Failure
Cyber-Terrorism Malicious
3.3 Identification of Risks

Risks were identified for the Banking System by matching identified vulnerabilities with credible
threats that might exploit them. This pairing of vulnerabilities with credible threats is
documented in Table D.
All identified risks have been included.
Table D: Vulnerabilities, Threats, and Risks

Risk
No.
Vulnerability
Threat
Risk of
Compromise of
Risk Summary
Unauthorized Use of Digital

certificates can allow
adversaries to use those
certificates.
The user may be lured into
informing the password for
unauthorized transactions
through the use of social
engineering.
Digital certificates can be Unauthorized

used by more than one user Use
at the same time.
Confidentiality &
integrity of banking
systems data
One Time Password

(OTP) token may be
captured and used in realtime.
Unauthorized
Access
Confidentiality &
systems data
Virtual Keyboard also

known tools such as
Screen-loggers or mouseloggers may
capture sensitive
information
Unauthorized
Access
Confidentiality &
systems data
Decryption techniques and

attacks focused on flawed
encryption algorithms can be
applied to crack critical
information such as User ID
and Password.
Device Registering i.e.

characteristics thought to
be unique to the user's
device may be reproduced
Unauthorized
Access
Confidentiality &
systems data
Information regarding the

device's register can also be
reproduced. An attacker can
apply social engineering to
persuade the user to authorize
and register a malicious device
CAPTCHA - The methods

applied to scramble the
information in the
image are too simple
Unauthorized
Use
Confidentiality &
systems data
If the CAPTCHA image is too

simple then it makes possible
to extract the desired
information using OCR
software.
User identity
(IDs) no longer required
are NOT removed from
banking system in timely
manner.
Unauthorized
Use
Confidentiality &
systems data
Unauthorized use of
unneeded user Ids could
compromise confidentiality
& integrity of banking
systems data.
Banking systems access

Unauthorized
privileges are granted on
Access
an ad-hoc basis rather than
using predefined roles.
Confidentiality &
systems data
Unauthorized access via adhoc privileges could

compromise of confidentiality
systems data.
Login encryption
setting is not properly
configured.
Malicious Use
Computer
Crime
Confidentiality &
systems data
Unencrypted passwords
could be compromised,
resulting in compromise of
confidentiality & integrity of
sensitive banking systems
data.
User names & passwords

are in scripts &
initialization files.
Malicious Use
Computer
Crime
Confidentiality &
systems data
10
Passwords are not

set to expire;
regular password changes
are not enforced.
Malicious Use
Computer
Crime
Confidentiality &
systems data
11
Bogus TCP
Packets (above the
allowed packet size)
directed at port configured
will cause banking system
to stop responding.
Malicious Use
Computer
Crime
Availability of
banking system and
data
Exploitation of
passwords in script
& initialization files
could result in
compromise of
confidentiality
& integrity banking systems
data.
Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidentiality & integrity
of banking systems data.
Denial of service
attack (DOS) via large
bogus packets sent
to port configured could
render banking system
unavailable for use.
1
0
12
New patches to
correct flaws in
application
security design
have not been applied.
Malicious Use
Computer
Crime
Confidentiality &
systems data
Exploitation of un-patched
application security flaws
could compromise
banking systems data.
13
Wet-pipe sprinkler
system in banking
systems
Data Centre.
Fire
Availability of
banking system and
data
Fire would activate

sprinkler system
causing water
damage & compromising
the availability
4. Control Analysis
First we show the security controls list.
Security Controls
1 Risk Management
Control Area
In-Place/Planned
1.1 IT Security
Roles &
Responsibilities
In-Place
1.2 Business Impact

Analysis
In-Place
1.3 IT System &

Data Sensitivity
Classification
1.4 IT System
Inventory &
Definition
Description of Controls
1. Security roles about all bank system have

been documented
2. Assigned individuals to the required bank
IT security roles
1. If critical data were lost, the company
may bankrupt
In-Place
1. Classification has been done

2. Bank accounts information is sensitive
In-Place
1. Inventory has been documented

2. Definition is not yet
Planned
In-Place
1.5 Risk
Assessment
1.6 IT Security
Audits
1. Assessment has been done

2. Money handling data on the display are at
risk because everyone can see the operator
monitor
3. Documentation is not yet
1. Audits have been done internally
2. In the future, external audits will be done
if necessary
Planned
In-Place
Planned
2 IT Contingency Planning
Control Area
In-Place/Planned
2.1 Continuity of
Operations
Planning
In-Place
2.2 IT Disaster
Recovery
Planning
In-Place
2.3 IT System &

Data Backup
1. Plans have been made

2. Bank main system should work 24&7
3. Implementations are not yet
Planned
1. Plans to save bank main system have

been made
2. Trainings to recovery are not yet
Planned
In-Place
1. Duplicated data have been stored abroad

every minute
2. Banking system has its redundant system
3 IT Systems Security
Control Area
In-Place/Planned
3.1 IT System
Hardening
In-Place
3.2 IT Systems
Interoperability
Security
In-Place
1. New security system was introduced

recently
2. A lot of money was spent on bank
accounts information system hardening
1. Unauthorized devices cannot be
connected to the companys bank control
network
2. Transaction data are transmitted only
1
2
within the company
In-Place
3.3 Malicious Code
Protection
3.4 IT Systems
Development
Life Cycle
Security
Planned

recently
2. Trainings to protection are not yet
In-Place
1. The plan has been documented
4 Logical Access Control

Control Area
In-Place/Planned
4.1 Account
Management
In-Place
1. Unauthorized users cannot access the

bank system
2. When adding users, requirements and
authorizations are necessary
3. Bank secret system is only for managers
4.2 Password
Management
In-Place
1. Set the password life time

2. Set the password length
3. Biometric is introduced to bank secret
system
In-Place
1. Remote Access isnt allowed
4.3 Remote Access
5 Data Protection
Control Area
In-Place/Planned
5.1 Data Storage

Media
Protection
In-Place
1. Data backup abroad via the VPN

2. Data are encrypted by AES
5.2 Encryption
In-Place
1. Data are encrypted by AES

2. Accounts information is encrypted three
times
6 Facilities Security
Control Area
6.1 Facilities
Security
In-Place/Planned
In-Place
1. Rules are set for facilities

2. Clients documents are preserved in the
vault
3. Trainings for facilities are not yet
Planned
7 Personnel Security
Control Area
7.1 Access
Determination &
Control
In-Place/Planned
In-Place
Planned
In-Place
7.2 IT Security
Awareness &
Training
Planned
7.3 Acceptable Use
In-Place
1. Rules are documented for access control

so control system is introduced
3. Definition of the terminology is not yet
1. Rules are documented
2. The importance of IT Security has
documented
3. Bank accounts information is important
4. Trainings for employees are not yet
1. Selected the authorized users
2. When adding users, requirement is
necessary
so when adding this account managers have
to set up by themselves
8 Threat Management
Control Area
8.1 Threat Detection
In-Place/Planned
In-Place

recently
2. Bank secret system detection system
spends a lot of money for protection
1. Rules are documented for handling the
bank system incident
2. Bank secret system was tried to crack
recently
3. Trainings for incident handling are not
yet
In-Place
8.2 Incident
Handling
8.3 Security
Monitoring &
Logging
Planned
In-Place
1. Monitoring the log data 24&7 base

2. Bank secret system logs are encrypted
3. Logs analysis is not yet
Planned
9 IT Asset Management
Control Area
9.1 IT Asset Control
9.2 Software
License
Management
In-Place/Planned
In-Place
Planned
1. Rules are documented to control

2. Bank secret system is protected severely
3. Trainings for access control are not yet
Planned
1. Done nothing
9.3 Configuration
Management &
Change Control
In-Place
Planned
1. Rules are documented for bank system

configuration management
2. Change is not allowed without permission
so if necessary managers have to change the
configuration by themselves
4. Trainings are not yet
Next we show the Risks-Controls table

Risks-Controls-Factors Correlation
Risk
no.
Risk Summary
Correlation of Relevant Controls & Other

Factors

certificates.
engineering.
This kind of incident is very difficult to prevent. It is very

difficult to solve by ourselves. We have to think of
consulting other vendors if necessary.
3.

and Password.
Controls 5.1 and 5.2 are related to this. Now AES is very
secure algorithms but in the future these algorithms may be
cracked. To protect is very important. But at the same time,
we have to prepare for the time when security incidents have
happened.
4.

persuade the user to authorize
and
register a malicious device
simple then it makes possible
to extract the desired
information using OCR
software.
Controls 1.5 and 3.2 are related to this. Now Unauthorized

devices cannot be connected to the companys bank control
network. And transaction data are transmitted only within
the company. So in a way we are in the secure environment.
1.
2.
5.
A control 1.5 is relevant to this. Even if we could protect

from the network intruder, the threats may be around human
interactions. This is social engineering. To prevent this we
need some rules.
This kind of incident is very difficult to prevent. First of all,

we have to consult to the maker. If necessary we have to
think of the site renewal. It costs a lot of money. We have to
get a budget to tackle these problems.
6.
Unauthorized use of unneeded

user Ids could compromise
Controls 4.1 and 4.2 are related to this. To prevent this kind
of threat, we have to comply with the rules.
7.
Unauthorized access via adhoc privileges could

systems data.
Controls 4.1, 4.2 and 7.3 are related to this. Now we

implement the strict regulations to prevent unauthorized
access. We have to keep on this.
8.
Unencrypted passwords could

be compromised, resulting in
& integrity of sensitive
Controls 5.1 and 5.2 are related to this. Now we encrypt

only data. In the future we have to encrypt passwords.
9.
Exploitation of
passwords in script
could result in
& integrity banking systems
data.
Compromise of
unexpired/unchanged
passwords could
of confidentiality & integrity
Denial of service
bogus packets sent
to port configured could render
banking system unavailable
for use.
A control 8.1 is relevant to this. Now we introduced new

detection system. So in a way we may say that we are
secure. At the same time we have to introduce log check
system. If something happen we have to tackle the problem
as soon as possible.
10.
11.
A control 4.2 is relevant to this. Now we set the password

life time and the password length. On top of that biometric is
introduced to bank secret system.
This kind of attack is impossible to prevent completely. To

protect is very important. But at the same time, we have to
prepare for the time when security incidents have happened.
We should think about the insurance if necessary.
1
7
12.
application security flaws
could compromise
A control 8.1 is relevant to this. We introduced the new

detection system. Detection is not always perfect. We have
to periodically collect the information and apply the
solutions regularly.
13.
Fire would activate

sprinkler system
causing water
the availability
Controls 2.1, 2.2 and 2.3 are related to this. For emergency
we have to do the proper backup.
5. Risk Likelihood Determination

The purpose of this step is to assign a likelihood rating of high, moderate or low to each risk
. This rating is a subjective judgment based on the likelihood vulnerability
might be exploited by a credible threat. The following factors are considered:
Threat-source motivation and capability, in the case of human threats;
Probability of the threat occurring, based on statistical data or previous experience, in
the case of natural and environmental threats; and
Existence and effectiveness of current or planned controls
Likelihood
Level
Likelihood Definition
High
The threat-source is highly motivated and sufficiently capable, and controls to

prevent the vulnerability from being exercised are ineffective.
Medium
Low
The threat-source is motivated and capable, but controls are in place that may
impede successful exercise of the vulnerability
The threat-source lacks motivation or capability, or controls are in place to
prevent, or at least significantly impede, the vulnerability from being
exercised.
Risk
No.
1
Risk Summary
Unauthorized Use of
Digital certificates can
allow adversaries to use
stolen
certificates.
through the use
Risk Likelihood
Evaluation
Digital Certificates issued
to a person can be
misused. The likelihood
of this happening is
Medium
Users may be tricked into
revealing their passwords
by disguising as a
genuine bank employee
Risk Likelihood
Rating
Medium
High
of social
engineering.
encryption algorithms can
be
information such as User
ID and Password.
device's
register can also be
reproduced. An attacker
can apply
social engineering to
persuade the user to
authorize and
If the CAPTCHA image is
too simple then it makes
possible to extract the
desired information using
OCR software.
Unauthorized use of
systems data.
Unauthorized access
via ad-hoc privileges could
compromise of
confidentiality & integrity
of sensitive banking
systems data.
Exploitation of
passwords in script
could result in
compromise of
confidentiality
Hackers constantly try to

break encryption. If the
encryption is weak then it
can be easily broken. The
likelihood of this risk is
High
High
Social Engineering is
possible easily. So the
likelihood is high
High
CAPTCHA is used to
prevent misuse. But it can
be exploited
High
Users having access to

such ids can misuse these
IDs. But the likelihood is
low
Low
Certain privileges given

on a ad-hoc basis and not
revoked can pose a threat.
Likelihood is Medium
Medium
Packets sniffed over the

network as well stored in
databases can be read and
this risk has a High
likelihood.
High
Files used for running

scripts on the server if
have passwords hard
coded can be a risk. As
such files are accessible
only to a few people, the
Medium
10
11
& integrity banking

systems data.
Compromise of
unexpired/unchanged
passwords could
of confidentiality &
systems data.
Denial of service
bogus packets sent
12
application
security flaws could
compromise
confidentiality &
systems data.
13
Fire would activate

sprinkler system
causing water
the availability
likelihood of this risk is

medium
Passwords can be easily
compromised. The
likelihood of this
happening is very high
Miscreants can pull of

this attack by launching a
DOS or a Distributed
DOS attack Since this
attack can be launched
easily, the likelihood is
High
Applications with
security issues are a risk.
When the software
vendor issues a security
patch, it has to installed
immediately. But it
happens that the
automatic updates are
disabled. Thus the
likelihood of such a Risk
is Medium
Physical damage can
cause loss of property and
information. The
likelihood is Low of such
an event
High
High
Medium
Low
6. Impact Analysis:
Here the adverse impact of successful threat exercise of any vulnerability is measured.
6.1 Pre-requisite before proceeding to the impact analysis:
Following is the information which depicts the mission, data criticality and sensitivity.
6.1.1 System Mission:
Today the mission is to offer comprehensive integrated banking software solution
available in the marketplace today at extremely competitive pricing. In addition to this, banks
are putting their efforts to provide one stop solution to their customers.
6.1.2 Data Criticality:
The data has at most importance in the banking system. The data is highly critical as it
has financial information of all the customers of the bank. The loss of data may result in loss of
monetary transactions
6.1.3 System and data sensitivity:
The data sensitivity is high due to financial details.
6.2 Impact definition:
Table 6A lists the magnitude of impact definitions.
Magnitude of
Impact
High
Medium
Low
Table 6A
Impact Definition
Exercise of the vulnerability (1) may result in the highly costly loss of
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organizations mission, reputation, or interest; or (3) may result
in human death or serious injury.
Exercise of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organizations
mission, reputation, or interest; or (3) may result in human injury.
Exercise of the vulnerability (1) may result in the loss of some tangible
assets or resources or (2) may noticeably affect an organizations
Mission, reputation, or interest.
6.3 Risk and Impact analysis

Table 6B lists all the risks identified and the respective impact on the banking sector.
Table 6B
Risk Summary
Risk
No
1
2
3
4
5
6
7
8
9
10
11
12
13
Unauthorized Use of Digital certificates can allow adversaries to

use duplicate certificates.
The user may be lured into informing the password for
unauthorized transactions through the use of social engineering.
Decryption techniques and attacks focused on flawed encryption
algorithms can be applied to crack critical information such as
User ID and Password.
Information regarding the device's register can also be
reproduced. An attacker can apply social engineering to persuade
the user to authorize and register a malicious device
If the CAPTCHA image is too simple then it makes possible to
extract the desired information using OCR software.
Unauthorized use of unneeded user Ids could compromise
confidentiality & integrity of banking systems data.
Unauthorized access via ad-hoc privileges could compromise of
Unencrypted passwords could be compromised, resulting in
compromise of confidentiality & integrity of sensitive banking
systems data.
Exploitation of passwords in script & initialization files
could result in compromise of confidentiality & integrity banking
systems data.
Compromise of unexpired/unchanged passwords could result in
compromise of confidentiality & integrity of banking systems
data.
Denial of service attack (DOS) via large bogus packets sent
to port configured could render banking system unavailable for
use.
Exploitation of un-patched application security flaws could
compromise
Fire would activate sprinkler system causing water damage &
compromising the availability of banking systems data.
Risk Impact
Medium
Low
Medium
Medium
Medium
Medium
High
High
High
Medium
High
Medium
Low
Magnitude of Impact: High

2
3
7. Overall risk Determination:

This step is to assess the level of risk to the IT system. The determination of risk
for a particular threat/vulnerability pair can be expressed as a function of,
The likelihood of a given threat-sources attempting to exercise a given

vulnerability.
The magnitude of the impact should a threat-source successfully exercise the
vulnerability.
The adequacy of planned or existing security controls for reducing or eliminating
risk.
7.1 Risk-Level Matrix

The final determination of mission risk is derived by multiplying the ratings assigned for threat
likelihood (e.g. probability) and threat impact. Table 7A shows how the overall risk
ratings might be determined based on inputs from the threat likelihood and threat impact
categories.
Table 7A
Risk
Likelihood
High (1.0)
Medium (0.5)
Low (0.1)
Low
(10)
Low
10 X 1.0 = 10
Low
10 X 0.5 = 5
Low
10 X 0.1 = 1
Impact
Medium
(50)
Medium
50 X 1.0 = 50
Medium
50 X 0.5 = 25
Low
50 X 0.1 = 5
High
(100)
High
100 X 1.0 = 100
Medium
100 X 0.5 = 50
Low
100 X 0.1 = 10
7.2 Overall risk rating table:

Table 7B describes the overall risk rating for the risk identified.
Risk
No
1
2
Risk Summary
Table 7B
Risk Likelihood
Rating
Medium

certificates can allow adversaries
to use duplicate certificates.
High
unauthorized transactions through
the use of social engineering.
Risk Impact
Medium
Overall Risk
Rating
Medium
Low
Low

High
Medium
Medium
10
11
12

information such as User ID and
Password.
persuade the user to authorize and
simple then it makes possible to
extract the desired information
using OCR software.
Unauthorized use of unneeded
user Ids could compromise
Unauthorized access via ad-hoc
privileges could compromise of
Unencrypted passwords could be
compromised, resulting in
compromise of confidentiality &
integrity of sensitive banking
systems data.
Exploitation of passwords in
script & initialization files
could result in compromise of
Compromise of
unexpired/unchanged passwords
could result in compromise of
Denial of service attack (DOS)
via large bogus packets sent
to port configured could render
banking system unavailable for
use.
application security flaws could
High
Medium
Medium
High
Medium
Medium
Low
Medium
Low
Medium
High
Medium
High
High
High
Medium
High
Medium
High
Medium
Medium
High
High
High
Medium
Medium
Medium
2
6
13
compromise
Fire would activate sprinkler
system causing water damage &
compromising the availability of
Low
Low
Low
7.3 Description of Risk Level

Risk Scale and necessary Actions are as mentioned in table 7C. This risk scale, with its
ratings of High, Medium, and Low, represents the degree or level of risk to which an IT system,
facility, or procedure might be exposed if a given vulnerability were exercised. The risk scale
also presents actions that senior management, the mission owners, must take for each risk level.
Table 7C
Risk Level
Risk Description and necessary actions
If an observation or finding is evaluated as a high risk, there is a
High
strong need for corrective measures. An existing system may
continue to operate, but a corrective action plan must be put in place
as soon as possible.
If an observation is rated as medium risk, corrective actions are
Medium
needed and a plan must be developed to incorporate these actions
within a reasonable period of time.
If an observation is described as low risk, the systems DAA must
Low
determine whether corrective actions are still required or decide to
accept the risk.
Risk Level: High
8: Control Recommendations
During this step of the process, controls that could mitigate or eliminate the identified risks, as
appropriate to the banking system. The goal of the recommended controls is to reduce the level
of risk to the IT system and its data to an acceptable level. The following factors are considered
in recommending controls and alternative solutions to minimize or eliminate identified risks:
Effectiveness of recommended options (e.g., system compatibility)
Legislation and regulation
Banking policy
Operational impact
Safety and reliability.
The control recommendations are the results of the risk assessment process and provide input to
the risk mitigation process, during which the recommended procedural and technical security
controls are evaluated, prioritized, and implemented.
It should be noted that not all possible recommended controls can be implemented to reduce loss.
Risk
No.
Risk Summary
Risk
Rating
Recommendations
1.

certificates.
engineering.
Moderate
Digital certificates has to be made in such a

way that they cannot be copied and used for
other uses.
High
Spammers and unauthorised mailers should be

tracked and all the users have to informed not
to reply to these mails/spammers and give there
passwords to all the social sites.

encryption algorithms can
be
and Password.
device's
register can also be
apply
social engineering to
High
Coding has to be made full proof and tough so

that the passwords cannot be decrypted.
Moderate
By using social engineering, hacker can track

the IP addressing of the server and implement
the malicious device. By using extensive
testing and using firewalls this thing can be
reduced.
2.
3.
4.
2
6
persuade the user to

authorize and
5.
If the CAPTCHA image is

too simple then it makes
possible to extract the
desired information using
OCR software.
Moderate
CAPTCHA has to be designed in such a way

that it is neither to simple not too difficult for
the user. Extensive Testing has to be done with
tools that can crack the desired information so
that this thing is eliminated.
6.
Unauthorized use of
systems data.
Moderate
Policy of unneeded user Ids has to be

implemented wherein the user Ids can be
deleted from the system. Proper guidelines has
to be given according to the user trends so that
this deletion process can be automated.
7.
Unauthorized access
via ad-hoc privileges could
compromise of
Moderate
Proper privileges to teams has to be given.
8.
of sensitive banking
systems data.
Exploitation of
passwords in script
could result in
compromise of
confidentiality
& integrity banking
systems data.
Compromise of
unexpired/unchanged
passwords could
of confidentiality &
Moderate
Login Module should have proper encryption

features.
High
Better coding techniques should be used

wherein no password is visible. Mainframes
system should be used and all the possible steps
have to be taken to ensure that password is not
visible to anyone at any point of time.
High
There has to be a system where the user is

intimated about the expiration of the password
and changes it on regular interval. 15 days is
the recommended limit.
9.
10.
2
9
11.
12.
13.
systems data.
Denial of service
bogus packets sent
application
security flaws could
compromise
confidentiality &
systems data.
Fire would activate
sprinkler system
causing water
the availability
Moderate
Proper cost estimation has to be done by the

teams of whether new intrusion detection
system can be applied or not. Presently the
bank has intrusion prevention system which is
old and obsolete.
Moderate
Proper patch application tools should be used

and automated system should send the report to
concerned person telling them which all
patches have been applied.
Moderate
This is unavoidable and the banking

management has decided not to take any action
on this.
9. Result Documentation
Now since all the threats, risks, vulnerabilities and all the impacts are analysed for the banking
system, below is the overall result documentation, which can be referred as the summary of the
whole risk assessment report.
Ri
sk
N
o.
Vulnerability
Threat
Risk of
Compro
mise
Risk
Summary
Risk
Likelihoo
d Rating
Risk
Impact
Overall
Risk
Rating
Analysis of
relevant controls
and other factor
Recommendatio
ns
Digital
Unauthor
certificates
ized Use
can be used by
more than one
user
at the same
time.
Confiden
tiality &
integrity
of
banking
systems
data
Unauthorize
d Use of
Digital
certificates
can allow
adversaries
to use those
certificates.
Medium
Medium
Medium
Digital
certificates has
to be made in
such a way that
they cannot be
copied and used
for other uses.
One Time
Password
(OTP) token
may be
captured and
used in realtime.
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
The user
may be lured
into
informing
the password
for
unauthorized
transactions
through the
use of social
engineering.
High
Low
Low
Virtual
Keyboard,
known tools
such as
Screen-loggers
or mouseloggers may
capture
sensitive
information
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
Decryption
techniques
and
attacks
focused on
flawed
encryption
algorithms
can be
applied to
crack critical
information
such as User
ID and
Password.
High
Medium
Medium
This kind of
incident is very
difficult to
prevent. It is very
difficult to solve
by ourselves. We
have to think of
consulting other
vendors if
necessary.
A control 1.5 is
relevant to this.
Even if we could
protect from the
network intruder,
the threats may be
around human
interactions. This
is social
engineering. To
prevent this we
need some rules.
Controls 5.1 and
5.2 are related to
this. Now AES is
very secure
algorithms but in
the future these
algorithms may be
cracked. To
protect is very
important. But at
the same time, we
have to prepare
for the time when
security incidents
have happened.
Spammers and
unauthorised
mailers should
be tracked and
all the users
have to
informed not
to reply to these
mails/spammers
and give there
passwords to all
the social sites.
Coding has to
be made full
proof and tough
so that the
passwords
cannot be
decrypted.
Device
Registering
known
characteristics
thought to be
unique to the
user's device
may be
reproduced
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
CAPTCHA The methods

applied to
scramble the
information in
the
image are too
simple
Unauthor
ized Use
Confiden
tiality &
integrity
of
banking
systems
data
User identity
(IDs) no
longer
required are
NOT removed
from banking
system in
timely
manner.
Unauthor
ized Use
Confiden
tiality &
integrity
of
banking
systems
data
Information
regarding the
device's
register can
also be
reproduced.
An attacker
can apply
social
engineering
to persuade
the user to
authorize
and
register a
malicious
device
If the
CAPTCHA
image is too
simple then
it makes
possible to
extract the
desired
information
using OCR
software.
High
Medium
Medium
Controls 1.5 and

3.2 are related to
this. Now
Unauthorized
devices cannot be
connected to the
companys bank
control network.
And transaction
data are
transmitted only
within the
company. So in a
way we are in the
secure
environment.
By using social
engineering,
hacker can track
the IP
addressing of
the server and
implement the
malicious
device. By
using extensive
testing and
using firewalls
this thing can be
reduced.
High
Medium
Medium
This kind of
incident is very
difficult to
prevent. First of
all, we have to
consult to the
maker. If
necessary we have
to think of the site
renewal. It costs a
lot of money. We
have to get a
budget to tackle
these problems.
Unauthorize
d use of
unneeded
user Ids
could
compromise
confidentiali
ty &
integrity of
banking
systems
data.
Low
Medium
Low
Controls 4.1 and

4.2 are related to
this. To prevent
this kind of threat,
we have to
comply with the
rules.
CAPTCHA has
to be designed
in such a way
that it is neither
to simple not
too difficult for
the user.
Extensive
Testing has to
be done with
tools that can
crack the
desired
information so
that this thing is
eliminated.
Policy of
unneeded user
Ids has to be
implemented
wherein the user
Ids can be
deleted from the
system. Proper
guidelines has
to be given
according to the
user trends so
that this deletion
process can be
automated.
Banking
systems
access
privileges are
granted on an
ad-hoc
basis rather
than using
predefined
roles.
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
Login
encryption
setting is not
properly
configured.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
User names &

passwords are
in scripts &
initialization
files.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
10
Passwords are
not
set to expire;
regular
password
changes are
not
enforced.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
Unauthorize
d access via
ad-hoc
privileges
could
compromise
of
confidentiali
ty &
integrity of
banking
systems
data.
Unencrypted
passwords
could be
compromise
d, resulting
in
compromise
of
confidentiali
ty &
integrity of
sensitive
banking
systems
data.
Exploitation
of
passwords in
script
&
initialization
files
could result
in
compromise
of
confidentiali
ty
& integrity
banking
systems
data.
Compromise
of
unexpired/un
changed
passwords
could
result in
compromise
of
Medium
High
Medium
Controls 4.1, 4.2

and 7.3 are
related to this.
Now we
implement the
strict regulations
to prevent
unauthorized
access. We have
to keep on this.
Proper
privileges to
teams has to be
given.
High
High
High
Controls 5.1 and

5.2 are related to
this. Now we
encrypt only data.
In the future we
have to encrypt
passwords.
Login Module
should have
proper
encryption
features.
Medium
High
Medium
A control 8.1 is
relevant to this.
Now we
introduced new
detection system.
So in a way we
may say that we
are secure. At the
same time we
have to introduce
log check system.
If something
happen we have
to tackle the
problem as soon
as possible.
Better coding
techniques
should be used
wherein no
password is
visible.
Mainframes
system should
be used and all
the possible
steps have to be
taken to ensure
that password is
not visible to
anyone at any
point of time.
High
Medium
Medium
A control 4.2 is
relevant to this.
Now we set the
password life time
and the password
length. On top of
that biometric is
introduced to
bank secret
There has to be
a system where
the user is
intimated about
the expiration of
the password
and changes it
on regular
interval. 15 days
11
Bogus TCP
Packets
(above the
allowed
packet size)
directed at
port
configured
will
cause banking
system to stop
responding.
Maliciou
s Use
Compute
r Crime
Availabil
ity of
banking
system
and data
12
New patches
to
correct flaws
in
application
security
design
have not been
applied.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
13
Wet-pipe
sprinkler
system in
banking
systems
Data Centre.
Fire
Availabil
ity of
banking
system
and data
confidentiali
ty &
integrity of
banking
systems
data.
Denial of
service
attack (DOS)
via large
bogus
packets sent
to port
configured
could
render
banking
system
unavailable
for use.
Exploitation
of unpatched
application
security
flaws could
compromise
confidentiali
ty &
integrity of
banking
systems
data.
Fire would
activate
sprinkler
system
causing
water
damage &
compromisin
g
the
availability
of banking
systems
data.
High
High
High
Medium
Medium
Medium
Low
Low
Low
system.
is the
recommended
limit.
This kind of
attack is
impossible to
prevent
completely. To
protect is very
important. But at
the same time, we
have to prepare
for the time when
security incidents
have happened.
We should think
about the
insurance if
necessary.
A control 8.1 is
relevant to this.
We introduced the
new detection
system. Detection
is not always
perfect. We have
to periodically
collect the
information and
apply the
solutions
regularly.
Controls 2.1, 2.2
and 2.3 are
related to this. For
emergency we
have to do the
proper backup.
Proper cost
estimation has
to be done by
the teams of
whether new
intrusion
detection
system can be
applied or not.
Presently the
bank has
intrusion
prevention
system which is
old and
obsolete.
Proper patch
application tools
should be used
and automated
system should
send the report
to concerned
person telling
them which all
patches have
been applied.
This is
unavoidable and
the banking
management
has decided not
to take any
action on this.

IRM Banking Final - Doc

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IRM Banking Final - Doc

Uploaded by

Copyright:

Available Formats

Information Risk Management

Symbiosis Centre for Information Technology,

Submitted By: Group 2

Information Risk Management

Banking Sector Systems Definition Document

ONLINE BANKING SYSTEM

Online banking (or Internet banking or E-banking) allows customers of a financial

Table C: Credible Threats Identified for the Banking System

Vandalism and/or Rioting

Fire (Major or Minor)

Loss of Key Personnel

3.3 Identification of Risks

Table D: Vulnerabilities, Threats, and Risks

Unauthorized Use of Digital

Digital certificates can be Unauthorized

One Time Password

Virtual Keyboard also

Decryption techniques and

Device Registering i.e.

Information regarding the

CAPTCHA - The methods

If the CAPTCHA image is too

Banking systems access

Unauthorized access via adhoc privileges could

User names & passwords

Passwords are not

Risk Assessment Report Banking Systems

Fire would activate

1.2 Business Impact

1.3 IT System &

1. Security roles about all bank system have

1. Classification has been done

1. Inventory has been documented

1. Assessment has been done

2.3 IT System &

1. Plans have been made

1. Plans to save bank main system have

1. Duplicated data have been stored abroad

Risk Assessment Report Banking Systems

1. New security system was introduced

within the company

1. New security system was introduced

1. The plan has been documented

4 Logical Access Control

1. Unauthorized users cannot access the

1. Set the password life time

1. Remote Access isnt allowed

4.3 Remote Access

5.1 Data Storage

1. Data backup abroad via the VPN

1. Data are encrypted by AES

1. Rules are set for facilities

7.3 Acceptable Use

1. Rules are documented for access control

8.1 Threat Detection

1. New security system was introduced

1. Monitoring the log data 24&7 base

9.1 IT Asset Control

1. Rules are documented to control

1. Rules are documented for bank system

Next we show the Risks-Controls table

Correlation of Relevant Controls & Other

Unauthorized Use of Digital