Application and Infrastructure Security of Banking and Insurance Applications By Anurag Shrivastava (M.C.

A)
.

Page 1 of 22

CONTENTS 1. Introduction.......................................................................................................................... 3 2. Work done in this field ............................................................................................................... 6 3. Noteworthy contribution in the field of proposed work ............................................................ 7 4. Proposed methodology during the tenure of the research ....................................................... 8 5. Expected outcome of the purpose work..................................................................................... 9
Outcome for Industry: ............................................................................................................................ 9 Outcome for Individuals and Society: ................................................................................................. 10

6. Bibliography ............................................................................................................................. 11 7. List of published Papers........................................................................................................... 12

Page 2 of 22

1.

Introduction

Last 2 decades Internet has become the core infrastructure for the vast majority of individuals and financial transactions. Every individual, company, small or big organization wants to save time and paperwork by using online banking and financial applications. In todays highly collaborative financial environment, customers, employees and business partners can access more business and financial information than ever before. Its available in real-time and usually at the press of a button. .To increase the user experience and also to reach out to the remote areas Banks and financial institutes are focusing more on Internet based applications which can provide 24 X 7 availability and easy access to its customers. Now in new era organizations are migrating to a new concept known as Cloud Computing, so the dependency on secure application and infrastructure to perform secure financial transaction is increasing day by day. As the global economy goes digital the global underworld follows suits. If money is stored and moved around the internet the criminals are also changing their game plans and migrating from physical crime to more sophisticated, less dangerous and less violent online options like Hacking, fishing etc. Every day, cybercriminals are devising new and ingenious attacks to profit illegally off the backs of financial organizations both large and small. Be they banks, credit unions, credit card processors or mortgage houses, these firms must find a way to adjust to this evolving attack landscape to prevent these threats from wreaking havoc on the bottom line. The fraudsters goal is simple and limited: steal online banking credentials, set up online transactions, and transfer money undetected. The various techniques they use are all just different ways of accomplishing the same thing. Their strategy is to lure unsuspecting individuals with online access to personal or business banking accounts to well designed fake sites or put malware on their computers to steal credentials, and occasionally even hijack sessions. Criminals are focusing on the weakest link the account holder (and its not entirely the end users fault). Their attacks are relentless, sophisticated, and pervasive and can defeat most antivirus and anti-malware solutions. Collectively, users dont stand a chance and education is only part of the solution. Dont get drawn into simply building stronger defenses around the user fraudsters will get through them. Commercial organizations are getting more and more competent and margins are constantly reducing which is forcing organizations to rely more on automation i.e. use sophisticated and robust applications for Banking and Insurance business so that they can still keep pace with changing market conditions. Thus applications need to be more secure and safe as any online fraud or security breach can damage the organization image and results in big loss or hefty penalties. Financial institutions stand to not only lose money stolen through fraud, but also the amount needed to pay legal fees, the cost to report the breach to customers and fees from compliance organizations. Whats more, they will lose even more in reputation damage, brand damage and customer departures. 20 percent of customers leave immediately upon finding out an organization suffered a breach.

Page 3 of 22

Financial institutions have responded to consumer demand with new service options that can prove dangerous. Among these new options: Social Networking. Social networking sites are commonplace today; an opportunity for institutions to reach key audiences. But there are so many ways that social media can hurt a company. For example, an innocuous statement from an over-zealous employee like, Busy weekend coming up. I'll be working on the latest release! could be used by a competitor or a criminal. And many of the applications and games that are available on social media sites were crafted specifically to introduce malware to a users PC. Mobility. Mobility has become paramount to sales, marketing and customer service strategies, as younger clientele especially clamor to conduct their banking business on the run from their mobile phones and handheld devices. That means institutions are creating services to do exactly thatfrom deposits to bill payments. Unfortunately, that newfound freedom introduces complexities, including a higher level of risk in terms of theft, malware and even direct attacks. And a lot of the risk is out of the institutions control and in the hands of customers with varying degrees of security savvy. IT Consumerization. Financial institutions empower employees with more business tools like smartphones,netbooks and laptops that take data beyond the traditional erimeter. Most banks are doing it right, by providing them with corporate laptops and secure access methods. But there have been mishaps that put consumers at risk. For example, a laptop containing customer account information may get stolen from the office or home. Cloud Computing. The cloud is the future for financial services, as in every other industry sector. The new delivery model promises cost savings and efficiencies as well as agility and innovation. But do institutions should have some sound strategies for putting sensitive data out there. As the custodians of confidential customer information, they are responsible for its safekeeping. So putting that data in the hands of a third party ups the ante in regard to security and compliance implications. Institutions cant afford to stick with old delivery models, butthey have to approach the cloud with renewed focus on risk mitigation. Whether its from treacherous insiders stealing data or malicious cybercriminals hacking into company resources, financial institutions face risk from both inside and outside the organization. Whether an insider steals information for financial gain or a crook from halfway across the globe plants malware that eventually gives him unauthorized account access, the risks are the same: costly. The average breach cost organizations about $6.75 million in 2009. While each side of the coin poses unique threats, the financial sector can minimize the doublesided risks with very similar tactics. These solutions rest on the security fundamentals of solid vulnerability management, device control, application control, and sound monitoring and reporting practices.

Looking this as a serious threat regulators are stepping into the breach and establishing the data protection legislation and this is increasingly supported by fines and other non-financial sanctions. As lots of personal data are collected and help electronically and therefore every data controlling organization has to ensure that applications are secured. Every country (US, EU,

Page 4 of 22

India) has some measures to protect the data. The Payment Card Industry Data Security Standard ( PCI DSS) mandates specific security controls for all merchants that accepts payments by card , whether online or offline. PCI DSS contains specific requirements around application security and application security testing.

In most of the European countries common man is getting more and more educated regarding the data security and data protection due to higher computer literacy. However in India still lot of work needs to be done on these areas as many countryman are still unaware of these threats and are easy victims of Internet, data fraud. This research is all about understanding the threat and then proposing the way in which applications and infrastructure should be designed, tested and monitored so that we can avoid any fraud minimize data security incidents. Also this research will help to educate the individuals and society on Internet frauds, Importance of data security and in case they become victims of Internet fraud than what actions they can take against individuals, companies for recovery.

Page 5 of 22

2. Work done in this field

As of now no research has been done on the above topic. However one individual have done research on related topic.

Name

College/University

Topic

Dr. S. Albert Rabara Dept. of Computer Science 31.7.1962

St. Joseph's College Tiruchirappalli- 620002 Bharathidasan University, Tiruchirappalli

Design and development of secured mobile payment system framework for higher academic institutions.

Few companies Lot of research is currently going on in this area but as its a very dynamic topic it requires more and more individuals/companies/ banks and financial institute to do more and more and try to mitigate the risk of fraud.

Page 6 of 22

3. Noteworthy contribution in the field of proposed work

MWR labs (http://labs.mwrinfosecurity.com/) has taken innovative and practical approach to provide solutions to the major security risks identified by financial sectors. This research highlights keys issues including: Cyber Attacks - A slightly clichd term but one that does a good job of summing up the continued onslaught of targeted malware and custom exploitation techniques. How can you ensure that your assets are protected against all possible types of electronic attack? Data Loss Prevention- How can you protect against the loss or theft of sensitive information whether it is your information or that of your customers? Identity and Access Management- How you validate the identity of individuals accessing your systems when they are customers, suppliers and employees? Shri Hari Balakrishnan is a Professor in the Department of Electrical Engineering and Computer Science at MIT. He is well-known for his contributions to computer networks and networked computer systems, including overlay and peer-to-peer networks, Internet routing and congestion control, wireless and sensor networks, network security, and distributed data management. The RON overlay network, the Chord distributed hash table, the Cricket indoor location system, the Infranet anti-censorship system, various improvements to Internet routing (BGP), the Congestion Manager and binomial congestion control, the Snoop wireless TCP protocol, and approaches to spam control and denial-of-service protection are some of his noteworthy contributions.

Page 7 of 22

4. Proposed methodology during the tenure of the research

I will follow below steps, though they are not exhaustive, nor mutually exclusive, but a series of closely related, continuously overlapping and interdependent nonlinear steps/ actions. What lies ahead is hard work as well as pleasure of the hunt and I am confident that at the end, it will all come together 1. Selection & Formulation of Research Problem 2. Literature Survey 3. Sampling Strategy or Sample Design 4. Pilot (Quick and dirty) Study 5. Data Collection 6. Processing and analysis of data 7. Testing Hypothesis 8. Interpretation & Generalization 9. Preparation of the thesis

Page 8 of 22

5. Expected outcome of the purpose work

This research will have multiple outcomes for various audiences. The primary outcome is to come up with a comprehensive list of security measures, details about various security frameworks this data can help any software application/products dealing with personal data and financial transactions to make their systems more robust and immune to the fraud and cyber criminals. Also come up with a Security Measuring Scale (SMS) which will help all applications to measure their security range and can work as a tool for organization to evaluate their products or can help any organization in decision making while selecting any software application/product. Outcome for Industry: How Do You Use Security Measuring Scale (SMS)? Clients use Security Measuring Scale as a first step to understanding the security measures that any applications should have which deals in sophisticated customer and financial data they might consider this while designing there product. Keep in mind that focusing on the top of security scale isn't always mandatory but its important to be on top or close to the top so that their products are the best of breed and can provide better security and less prone to hacking and frauds. How Do Security Measuring Scale (SMS) Work? Security Measuring Scale will provide a set of questioners to user which user has to fill based on their products/application/Infrastructure specifications. SMS will then evaluate those answer based on the same it will evaluate the security of the product (Products/Application/Infrastructure) and will generate a unique number (Scale of 1 to 10) Range (9-10) execute well against their current vision and are well positioned for tomorrow in terms of security. Range (7-9) understand the security needs where the market is going or have a vision for changing market security rules, but do not yet execute well. Range (5-7) focus successfully on basic security needs but required lot of other security measures changes as per the market needs.

Page 9 of 22

Range (1-5) Not follows the basic security and security trends which are in market and do not demonstrate an understanding of market direction. Outcome for Individuals and Society: This research will help laymen to understand what data security, is all about and its importance and make them more aware of various hacking mechanism like fishing, Internet fraud etc which are used by cyber criminals. Also make them aware on How to make sure that while using any applications their data is secured and their systems cant be hacked. Also this research will guide individuals and masses on what to do and what not do in case they become victim of Internet frauds.

Page 10 of 22

6. Bibliography

BOOKS:

Security Testing Handbook for Banking Applications by Arvind Doraiswamy, Sangita Pakala Nilesh Kapoor, Prashant Verma , Praveen Singh , Raghu Nair and Shalini Gupta Data and applications security: developments and directions: By Bhavani M. Thuraisingham No Author Given: Protecting Financial Enterprise Data from Two Faces of Risk Best Practices for Building a Holistic Security Strategy White Paper The Financial Institutions Guide to Securing Information and Trust

ONLINE SERVICES and the INTERNET: www.google.com; Wikipedia

Page 11 of 22

7. List of published Papers

I am working in IT industry for past 11 years and was involved in Banking and Insurance product development and design. During product development and design I have done lot of research on Data security and how it can be implemented in various applications. Lots of internal presentations were given by me to my colleagues, clients in various locations i.e. India, UK and USA.

Page 12 of 22