Professional Documents
Culture Documents
Information Risk
Management
Semester I
Assignment - II
Banking
systems
1
Risk Assessment Report Banking Systems
2
Risk Assessment Report Banking Systems
TABLE OF CONTENTS
INTRODUCTION
IT SYSTEM CHARACTERIZATION
RISK IDENTIFICATION
CONTROL ANALYSIS
RISK LIKELIHOOD DETERMINATION
RISK IMPACT ANALYSIS
OVERALL RISK DETERMINATION
RECOMMENDATIONS
RESULTS DOCUMENTATION
3
4
7
10
18
21
23
26
29
LIST OF EXHIBITS
EXHIBIT 1: RISK ASSESSMENT MATRIX
23
LIST OF FIGURES
FIGURE 1 CORE BANKING SYSTEM
FIGURE 2 ONLINE BANKING SYSTEM
5
6
1. Introduction
A risk assessment is a process by which to determine what information resources exist that
require protection, and to understand and document potential risks from IT security failures that
may cause loss of information confidentiality, integrity, or availability. The purpose of a risk
assessment is to help management create appropriate strategies and controls for stewardship of
information assets.
Risk Assessment Partners:
Gaurav Sodani
Jayesh Singhal
Kuldeep Choudhary
Rohit Gedam
Vivek Pinnamaneni
Risk classification used is as follows:
1. High: The loss of confidentiality, integrity, or availability could be expected to have a
severe or catastrophic adverse effect on organizational operations, organizational assets,
or individuals.
2. Moderate: The loss of confidentiality, integrity, or availability could be expected to
have a serious adverse effect on organizational operations, organizational assets, or
individuals.
3. Low: The loss of confidentiality, integrity, or availability could be expected to have a
limited adverse effect on organizational operations, organizational assets, or individuals.
1. IT System Characterization
In assessing risks for an IT system, the first step is to define the scope of the effort. In this step,
the boundaries of the IT system are identified, along with the resources and the information that
constitute the system. Characterizing a banking sector system establishes the scope of the risk
assessment effort, delineates the operational authorization (or accreditation) boundaries, and
provides information (e.g., hardware, software, system connectivity, and responsible division
or support personnel) essential to defining the risk.
The overall banking sector system comprises of following systems like core banking system
which has banking payment system and banking infrastructure system, Online banking
system , mobile banking system etc. Hence while writing a risk assessment report it is essential
to consider all of the above system to get a complete overview of risk identified and
precautions used to mitigate the risk.
System Description:
CORE BANKING SYSTEM
Core Banking is normally defined as the business conducted by a banking institution with
its retail and small business customers.
Many banks treat the retail customers as their core banking customers, and have a
separate line of business to manage small businesses.
Core banking basically is depositing and lending of money.
CORE stands for "centralized online real-time environment".
This basically means that the entire bank's branches access applications from
centralized data centers.
This means that the deposits made are reflected immediately on the bank's servers and
the customer can withdraw the deposited money from any of the bank's branches
throughout the world.
These applications now also have the capability to address the needs of corporate
customers, providing a comprehensive banking solution.
Core banking solutions are advancement in technology, especially Internet and
information technology has led to new ways of doing business in banking.
These technologies have cut down time, working simultaneously on different issues and
increasing efficiency.
The platform where communication technology and information technology are merged
to suit core needs of banking is known as core banking solutions. Here, computer
software is developed to perform core operations of banking like recording of
transactions, passbook maintenance, and interest calculations on loans and deposits,
customer records, balance of payments and withdrawal.
This software is installed at different branches of bank and then interconnected by means
of communication lines like telephones, satellite, internet etc.
It allows the user (customers) to operate accounts from any branch if it has installed core
banking solutions. This new platform has changed the way banks are working.
3. Risk Identification
3.1 Identification of Vulnerabilities
Vulnerabilities for banking systems were identified by:
Interviews with the Banking System Owner, Data Owner, and Operational and technical support
staff of the IT Department of the Bank.
Use of the automated tool OWASP, The Vulnerability Scanning Tool.
Review of vulnerabilities identified in the previous Risk Assessment.
3.2 Identification of Credible Threats
Credible threats to the Banking System were identified by:
Use of the automated OWASP tool to identify threats to the Banking System.
Consulting the previous Risk Assessment and analyzing how the Banking System
threat environment has changed from the previous Risk Assessment.
Interviewing the Banking System Owner, Data Owner, and System Administrators to gather
information about system-specific threats to the Banking System
Earthquakes
Computer Crime
Electromagnetic Interference
Pandemic
Blackmail
Power Loss
Bomb Threats
Hurricanes
Human Error
Unauthorized Access or Use
Fraud/Embezzlement
Terrorism
Hardware Failure
Cyber-Terrorism Malicious
Vulnerability
Threat
Risk of
Compromise of
Risk Summary
Confidentiality &
integrity of banking
systems data
Unauthorized
Access
Confidentiality &
integrity of banking
systems data
Unauthorized
Access
Confidentiality &
integrity of banking
systems data
Unauthorized
Access
Confidentiality &
integrity of banking
systems data
Unauthorized
Use
Confidentiality &
integrity of banking
systems data
User identity
(IDs) no longer required
are NOT removed from
banking system in timely
manner.
Unauthorized
Use
Confidentiality &
integrity of banking
systems data
Unauthorized use of
unneeded user Ids could
compromise confidentiality
& integrity of banking
systems data.
Confidentiality &
integrity of banking
systems data
Login encryption
setting is not properly
configured.
Malicious Use
Computer
Crime
Confidentiality &
integrity of banking
systems data
Unencrypted passwords
could be compromised,
resulting in compromise of
confidentiality & integrity of
sensitive banking systems
data.
Malicious Use
Computer
Crime
Confidentiality &
integrity of banking
systems data
10
Malicious Use
Computer
Crime
Confidentiality &
integrity of banking
systems data
11
Bogus TCP
Packets (above the
allowed packet size)
directed at port configured
will cause banking system
to stop responding.
Malicious Use
Computer
Crime
Availability of
banking system and
data
Exploitation of
passwords in script
& initialization files
could result in
compromise of
confidentiality
& integrity banking systems
data.
Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidentiality & integrity
of banking systems data.
Denial of service
attack (DOS) via large
bogus packets sent
to port configured could
render banking system
unavailable for use.
1
0
12
New patches to
correct flaws in
application
security design
have not been applied.
Malicious Use
Computer
Crime
Confidentiality &
integrity of banking
systems data
Exploitation of un-patched
application security flaws
could compromise
confidentiality & integrity of
banking systems data.
13
Wet-pipe sprinkler
system in banking
systems
Data Centre.
Fire
Availability of
banking system and
data
4. Control Analysis
First we show the security controls list.
Security Controls
1 Risk Management
Control Area
In-Place/Planned
1.1 IT Security
Roles &
Responsibilities
In-Place
In-Place
Description of Controls
In-Place
In-Place
Planned
In-Place
1.5 Risk
Assessment
1.6 IT Security
Audits
Planned
In-Place
Planned
2 IT Contingency Planning
Control Area
In-Place/Planned
2.1 Continuity of
Operations
Planning
In-Place
2.2 IT Disaster
Recovery
Planning
In-Place
Description of Controls
Planned
Planned
In-Place
3 IT Systems Security
Control Area
In-Place/Planned
3.1 IT System
Hardening
In-Place
3.2 IT Systems
Interoperability
Security
In-Place
Description of Controls
In-Place
3.3 Malicious Code
Protection
3.4 IT Systems
Development
Life Cycle
Security
Planned
In-Place
In-Place/Planned
Description of Controls
4.1 Account
Management
In-Place
4.2 Password
Management
In-Place
In-Place
5 Data Protection
Control Area
In-Place/Planned
Description of Controls
In-Place
5.2 Encryption
In-Place
Control Area
6.1 Facilities
Security
In-Place/Planned
In-Place
Description of Controls
Planned
7 Personnel Security
Control Area
7.1 Access
Determination &
Control
In-Place/Planned
In-Place
Planned
In-Place
7.2 IT Security
Awareness &
Training
Planned
In-Place
Description of Controls
8 Threat Management
Control Area
In-Place/Planned
In-Place
In-Place
8.2 Incident
Handling
8.3 Security
Monitoring &
Logging
Description of Controls
Planned
In-Place
Planned
9 IT Asset Management
Control Area
9.2 Software
License
Management
In-Place/Planned
In-Place
Description of Controls
Planned
Planned
1. Done nothing
9.3 Configuration
Management &
Change Control
In-Place
Planned
Risk Summary
3.
Controls 5.1 and 5.2 are related to this. Now AES is very
secure algorithms but in the future these algorithms may be
cracked. To protect is very important. But at the same time,
we have to prepare for the time when security incidents have
happened.
4.
1.
2.
5.
6.
Controls 4.1 and 4.2 are related to this. To prevent this kind
of threat, we have to comply with the rules.
7.
8.
9.
Exploitation of
passwords in script
& initialization files
could result in
compromise of confidentiality
& integrity banking systems
data.
Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidentiality & integrity
of banking systems data.
Denial of service
attack (DOS) via large
bogus packets sent
to port configured could render
banking system unavailable
for use.
10.
11.
1
7
12.
Exploitation of un-patched
application security flaws
could compromise
confidentiality & integrity of
banking systems data.
13.
Controls 2.1, 2.2 and 2.3 are related to this. For emergency
we have to do the proper backup.
Likelihood
Level
Likelihood Definition
High
Medium
Low
The threat-source is motivated and capable, but controls are in place that may
impede successful exercise of the vulnerability
The threat-source lacks motivation or capability, or controls are in place to
prevent, or at least significantly impede, the vulnerability from being
exercised.
Risk
No.
1
Risk Summary
Unauthorized Use of
Digital certificates can
allow adversaries to use
stolen
certificates.
The user may be lured into
informing the password for
unauthorized transactions
through the use
Risk Likelihood
Evaluation
Digital Certificates issued
to a person can be
misused. The likelihood
of this happening is
Medium
Users may be tricked into
revealing their passwords
by disguising as a
genuine bank employee
Risk Likelihood
Rating
Medium
High
of social
engineering.
Decryption techniques and
attacks focused on flawed
encryption algorithms can
be
applied to crack critical
information such as User
ID and Password.
Information regarding the
device's
register can also be
reproduced. An attacker
can apply
social engineering to
persuade the user to
authorize and
register a malicious device
If the CAPTCHA image is
too simple then it makes
possible to extract the
desired information using
OCR software.
Unauthorized use of
unneeded user Ids could
compromise confidentiality
& integrity of banking
systems data.
Unauthorized access
via ad-hoc privileges could
compromise of
confidentiality & integrity
of banking systems data.
Unencrypted passwords
could be compromised,
resulting in compromise of
confidentiality & integrity
of sensitive banking
systems data.
Exploitation of
passwords in script
& initialization files
could result in
compromise of
confidentiality
High
Social Engineering is
possible easily. So the
likelihood is high
High
CAPTCHA is used to
prevent misuse. But it can
be exploited
High
Low
Medium
High
Medium
10
11
12
Exploitation of un-patched
application
security flaws could
compromise
confidentiality &
integrity of banking
systems data.
13
High
High
Medium
Low
6. Impact Analysis:
Here the adverse impact of successful threat exercise of any vulnerability is measured.
6.1 Pre-requisite before proceeding to the impact analysis:
Following is the information which depicts the mission, data criticality and sensitivity.
6.1.1 System Mission:
Today the mission is to offer comprehensive integrated banking software solution
available in the marketplace today at extremely competitive pricing. In addition to this, banks
are putting their efforts to provide one stop solution to their customers.
6.1.2 Data Criticality:
The data has at most importance in the banking system. The data is highly critical as it
has financial information of all the customers of the bank. The loss of data may result in loss of
monetary transactions
6.1.3 System and data sensitivity:
The data sensitivity is high due to financial details.
6.2 Impact definition:
Table 6A lists the magnitude of impact definitions.
Magnitude of
Impact
High
Medium
Low
Table 6A
Impact Definition
Exercise of the vulnerability (1) may result in the highly costly loss of
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organizations mission, reputation, or interest; or (3) may result
in human death or serious injury.
Exercise of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organizations
mission, reputation, or interest; or (3) may result in human injury.
Exercise of the vulnerability (1) may result in the loss of some tangible
assets or resources or (2) may noticeably affect an organizations
Mission, reputation, or interest.
Risk
No
1
2
3
4
5
6
7
8
9
10
11
12
13
Risk Impact
Medium
Low
Medium
Medium
Medium
Medium
High
High
High
Medium
High
Medium
Low
2
3
Low
(10)
Low
10 X 1.0 = 10
Low
10 X 0.5 = 5
Low
10 X 0.1 = 1
Impact
Medium
(50)
Medium
50 X 1.0 = 50
Medium
50 X 0.5 = 25
Low
50 X 0.1 = 5
High
(100)
High
100 X 1.0 = 100
Medium
100 X 0.5 = 50
Low
100 X 0.1 = 10
Risk
No
1
2
Risk Summary
Table 7B
Risk Likelihood
Rating
Medium
Risk Impact
Medium
Overall Risk
Rating
Medium
Low
Low
High
Medium
Medium
10
11
12
High
Medium
Medium
High
Medium
Medium
Low
Medium
Low
Medium
High
Medium
High
High
High
Medium
High
Medium
High
Medium
Medium
High
High
High
Medium
Medium
Medium
2
6
13
compromise
confidentiality & integrity of
banking systems data.
Fire would activate sprinkler
system causing water damage &
compromising the availability of
banking systems data.
Low
Low
Low
8: Control Recommendations
During this step of the process, controls that could mitigate or eliminate the identified risks, as
appropriate to the banking system. The goal of the recommended controls is to reduce the level
of risk to the IT system and its data to an acceptable level. The following factors are considered
in recommending controls and alternative solutions to minimize or eliminate identified risks:
Effectiveness of recommended options (e.g., system compatibility)
Legislation and regulation
Banking policy
Operational impact
Safety and reliability.
The control recommendations are the results of the risk assessment process and provide input to
the risk mitigation process, during which the recommended procedural and technical security
controls are evaluated, prioritized, and implemented.
It should be noted that not all possible recommended controls can be implemented to reduce loss.
Risk
No.
Risk Summary
Risk
Rating
Recommendations
1.
Moderate
High
High
Moderate
2.
3.
4.
2
6
5.
Moderate
6.
Unauthorized use of
unneeded user Ids could
compromise confidentiality
& integrity of banking
systems data.
Moderate
7.
Unauthorized access
via ad-hoc privileges could
compromise of
confidentiality & integrity
of banking systems data.
Moderate
8.
Unencrypted passwords
could be compromised,
resulting in compromise of
confidentiality & integrity
of sensitive banking
systems data.
Exploitation of
passwords in script
& initialization files
could result in
compromise of
confidentiality
& integrity banking
systems data.
Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidentiality &
Moderate
High
High
9.
10.
2
9
11.
12.
13.
integrity of banking
systems data.
Denial of service
attack (DOS) via large
bogus packets sent
to port configured could
render banking system
unavailable for use.
Exploitation of un-patched
application
security flaws could
compromise
confidentiality &
integrity of banking
systems data.
Fire would activate
sprinkler system
causing water
damage & compromising
the availability
of banking systems data.
Moderate
Moderate
Moderate
9. Result Documentation
Now since all the threats, risks, vulnerabilities and all the impacts are analysed for the banking
system, below is the overall result documentation, which can be referred as the summary of the
whole risk assessment report.
Ri
sk
N
o.
Vulnerability
Threat
Risk of
Compro
mise
Risk
Summary
Risk
Likelihoo
d Rating
Risk
Impact
Overall
Risk
Rating
Analysis of
relevant controls
and other factor
Recommendatio
ns
Digital
Unauthor
certificates
ized Use
can be used by
more than one
user
at the same
time.
Confiden
tiality &
integrity
of
banking
systems
data
Unauthorize
d Use of
Digital
certificates
can allow
adversaries
to use those
certificates.
Medium
Medium
Medium
Digital
certificates has
to be made in
such a way that
they cannot be
copied and used
for other uses.
One Time
Password
(OTP) token
may be
captured and
used in realtime.
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
The user
may be lured
into
informing
the password
for
unauthorized
transactions
through the
use of social
engineering.
High
Low
Low
Virtual
Keyboard,
known tools
such as
Screen-loggers
or mouseloggers may
capture
sensitive
information
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
Decryption
techniques
and
attacks
focused on
flawed
encryption
algorithms
can be
applied to
crack critical
information
such as User
ID and
Password.
High
Medium
Medium
This kind of
incident is very
difficult to
prevent. It is very
difficult to solve
by ourselves. We
have to think of
consulting other
vendors if
necessary.
A control 1.5 is
relevant to this.
Even if we could
protect from the
network intruder,
the threats may be
around human
interactions. This
is social
engineering. To
prevent this we
need some rules.
Controls 5.1 and
5.2 are related to
this. Now AES is
very secure
algorithms but in
the future these
algorithms may be
cracked. To
protect is very
important. But at
the same time, we
have to prepare
for the time when
security incidents
have happened.
Spammers and
unauthorised
mailers should
be tracked and
all the users
have to
informed not
to reply to these
mails/spammers
and give there
passwords to all
the social sites.
Coding has to
be made full
proof and tough
so that the
passwords
cannot be
decrypted.
Device
Registering
known
characteristics
thought to be
unique to the
user's device
may be
reproduced
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
Unauthor
ized Use
Confiden
tiality &
integrity
of
banking
systems
data
User identity
(IDs) no
longer
required are
NOT removed
from banking
system in
timely
manner.
Unauthor
ized Use
Confiden
tiality &
integrity
of
banking
systems
data
Information
regarding the
device's
register can
also be
reproduced.
An attacker
can apply
social
engineering
to persuade
the user to
authorize
and
register a
malicious
device
If the
CAPTCHA
image is too
simple then
it makes
possible to
extract the
desired
information
using OCR
software.
High
Medium
Medium
By using social
engineering,
hacker can track
the IP
addressing of
the server and
implement the
malicious
device. By
using extensive
testing and
using firewalls
this thing can be
reduced.
High
Medium
Medium
This kind of
incident is very
difficult to
prevent. First of
all, we have to
consult to the
maker. If
necessary we have
to think of the site
renewal. It costs a
lot of money. We
have to get a
budget to tackle
these problems.
Unauthorize
d use of
unneeded
user Ids
could
compromise
confidentiali
ty &
integrity of
banking
systems
data.
Low
Medium
Low
CAPTCHA has
to be designed
in such a way
that it is neither
to simple not
too difficult for
the user.
Extensive
Testing has to
be done with
tools that can
crack the
desired
information so
that this thing is
eliminated.
Policy of
unneeded user
Ids has to be
implemented
wherein the user
Ids can be
deleted from the
system. Proper
guidelines has
to be given
according to the
user trends so
that this deletion
process can be
automated.
Banking
systems
access
privileges are
granted on an
ad-hoc
basis rather
than using
predefined
roles.
Unauthor
ized
Access
Confiden
tiality &
integrity
of
banking
systems
data
Login
encryption
setting is not
properly
configured.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
10
Passwords are
not
set to expire;
regular
password
changes are
not
enforced.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
Unauthorize
d access via
ad-hoc
privileges
could
compromise
of
confidentiali
ty &
integrity of
banking
systems
data.
Unencrypted
passwords
could be
compromise
d, resulting
in
compromise
of
confidentiali
ty &
integrity of
sensitive
banking
systems
data.
Exploitation
of
passwords in
script
&
initialization
files
could result
in
compromise
of
confidentiali
ty
& integrity
banking
systems
data.
Compromise
of
unexpired/un
changed
passwords
could
result in
compromise
of
Medium
High
Medium
Proper
privileges to
teams has to be
given.
High
High
High
Login Module
should have
proper
encryption
features.
Medium
High
Medium
A control 8.1 is
relevant to this.
Now we
introduced new
detection system.
So in a way we
may say that we
are secure. At the
same time we
have to introduce
log check system.
If something
happen we have
to tackle the
problem as soon
as possible.
Better coding
techniques
should be used
wherein no
password is
visible.
Mainframes
system should
be used and all
the possible
steps have to be
taken to ensure
that password is
not visible to
anyone at any
point of time.
High
Medium
Medium
A control 4.2 is
relevant to this.
Now we set the
password life time
and the password
length. On top of
that biometric is
introduced to
bank secret
There has to be
a system where
the user is
intimated about
the expiration of
the password
and changes it
on regular
interval. 15 days
11
Bogus TCP
Packets
(above the
allowed
packet size)
directed at
port
configured
will
cause banking
system to stop
responding.
Maliciou
s Use
Compute
r Crime
Availabil
ity of
banking
system
and data
12
New patches
to
correct flaws
in
application
security
design
have not been
applied.
Maliciou
s Use
Compute
r Crime
Confiden
tiality &
integrity
of
banking
systems
data
13
Wet-pipe
sprinkler
system in
banking
systems
Data Centre.
Fire
Availabil
ity of
banking
system
and data
confidentiali
ty &
integrity of
banking
systems
data.
Denial of
service
attack (DOS)
via large
bogus
packets sent
to port
configured
could
render
banking
system
unavailable
for use.
Exploitation
of unpatched
application
security
flaws could
compromise
confidentiali
ty &
integrity of
banking
systems
data.
Fire would
activate
sprinkler
system
causing
water
damage &
compromisin
g
the
availability
of banking
systems
data.
High
High
High
Medium
Medium
Medium
Low
Low
Low
system.
is the
recommended
limit.
This kind of
attack is
impossible to
prevent
completely. To
protect is very
important. But at
the same time, we
have to prepare
for the time when
security incidents
have happened.
We should think
about the
insurance if
necessary.
A control 8.1 is
relevant to this.
We introduced the
new detection
system. Detection
is not always
perfect. We have
to periodically
collect the
information and
apply the
solutions
regularly.
Controls 2.1, 2.2
and 2.3 are
related to this. For
emergency we
have to do the
proper backup.
Proper cost
estimation has
to be done by
the teams of
whether new
intrusion
detection
system can be
applied or not.
Presently the
bank has
intrusion
prevention
system which is
old and
obsolete.
Proper patch
application tools
should be used
and automated
system should
send the report
to concerned
person telling
them which all
patches have
been applied.
This is
unavoidable and
the banking
management
has decided not
to take any
action on this.