1 / 14

Evolution of Security Standards in Indian Banking Industry

Evolution of Security Standards in Indian Banking Industry. V.Radha IDRBT. The chronology of events (1999-2004). IDRBT set up INFINET Hyperchat was the only application Its VSAT based Banks were using Novell based net applications

ron
Télécharger la présentation

Evolution of Security Standards in Indian Banking Industry

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evolution of Security Standards in Indian Banking Industry V.Radha IDRBT

  2. The chronology of events (1999-2004) • IDRBT set up INFINET • Hyperchat was the only application • Its VSAT based • Banks were using Novell based net applications • IP was enabled on INFINET and internal banks’ LAN could be connected • MMS Launched • Novell was very late in bringing IP onto Netware. Today there are no/few Novell app in Banking Industry. • IDRBT CA • SFMS • NEFT • NFS Institue for Development and Research in Banking Technology

  3. First few threats and countermeasures • Very low knowledge levels of Networks (Even IP Addressing, Routing etc) • Even Internet IP addresses that are generated from DNS requests from browsers used to hit INFINET and bring down the entire INFINET. • Banks were guided to connect to INFINET through routers with NAT, proxies, Firewalls etc • MMS was hacked • IS Audit was mandated • CISA certifications were encouraged • Internet Banking required RBI permission • Training Programs on INFINET, Network Security, MMS etc were launched Institue for Development and Research in Banking Technology

  4. Recent Initiatives • VAPT from Cert empanelled IS auditors • IS Governance and IT Governance from IDRBT • Gopala Krishna Committee Guidelines on Security, Cybercrime etc • PCI-DSS • Mobile Banking Security Guidelines Institue for Development and Research in Banking Technology

  5. Security • Security Problems • Man made • Created by faulty design and implementation issues • Phishing • Spoofing etc • Majority of attacks listed in OWASP • Crossing lines of “not supposed to” • Unauthorized Access • Tampering Data • Natural • Identity Management • AAA • Secret Sharing etc Institue for Development and Research in Banking Technology

  6. Solutions • Strengthen the weak protocols, software, OS, implementation etc • Prevent security threats to manifest as much as possible • Monitor the events of crossing lines of “not supposed to” Institue for Development and Research in Banking Technology

  7. New thoughts • Looked at phishing and solutions of anti-phishing • Very less can be done from banks’ end on this • Solutions like SPF has to be implemented by all across, not just by banks. • Domain Specific Passwords is a very good solution, but has to be part of browsers • Majority of the phishing techniques like domain name look alike, URL redirection etc are taken care by browsers • Banks are asked to deploy adoptive authentication, over and above 2 factor authentication (monitoring solution) Institue for Development and Research in Banking Technology

  8. Source Code Review • As we see many vulnerabilities are due to bad coding, we felt the need for mandating source code review on application vendors. Also, we observed that the product vendors like OS, Database have framed their in house frameworks for ensuring safe and secure software. Institue for Development and Research in Banking Technology

  9. Formal Methods • New Payment Protocols • Design Level Verification is must before deploying the protocol • New Privacy Issues in Mobile Telephony: Fix and Verification by RavishankarBorgaonkar et al Institue for Development and Research in Banking Technology

  10. Data Privacy • Some cases of corporate espionage • Some banks setting up Data Governance Groups • Groups include HNI, Corporate Customers, solution vendors along with banks CISO Institue for Development and Research in Banking Technology

  11. Business Process Re-engineering • Dematerialized Deposits • Online Deposit verification • Straight through Processing – Automated Data Flow • Online Lending Platforms Institue for Development and Research in Banking Technology

  12. Education • Most of the security problems thrown in the courts of solution vendors (n/w, app etc) • Banks can resolve them only if they are knowledgeable • Network Security, IS Audit, IS & IT Governance, Secure Coding practices, Fraud Detection and Monitoring etc help them equip with latest know how. Institue for Development and Research in Banking Technology

  13. Human Resources • Banks are increasing the specialist technical officers in Scale I and Scale II through campus recruitment as well • IDRBT Mtech IT with UOH, 100% placement • We envisage that future generation of bank employees would come up with new innovations, appreciate the govt and regulatory policies in taking benefits from technology, with no or less resistance Institue for Development and Research in Banking Technology

  14. Thank You Institue for Development and Research in Banking Technology

More Related