/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
The advancements in communication technologies, more than anything else,
have influenced the way banks conduct their business today. While globalization
certainly has been the other major catalyst of change, in many ways
globalization itself has been facilitated by communications technologies like
the Internet. Moreover, if globalization, more specifically its by-products like
deregulation and competition, has encouraged or forced banks to offer newer and
better services, communication technologies have helped them offer those
services more efficiently and to a larger number of people, sometimes across
national boundaries.
The increasing use of communication technologies, however, has its side
effects too–banks, which have always been exposed to various kinds of security
threats, have become more vulnerable to threats from diverse and often unknown
sources. And this vulnerability increases by the day as banks keep getting
connected to new customers and partners through public networks like the
Internet. In fact, in many ways the network itself becomes the business. It is
in this context that network and information security becomes as critical as the
network itself.
| Tools That Can Make Bank Networks and Information secure | |
| Public key infrastructure |
/vnd/media/post_attachments/027efc2a00d7f4c5981144f7e74f6cbcd877da54bd47933b4515252bb7d30cff.jpg){kind=small} | Strong two-factor authentication |
| Integrity checking software |
| File/disk level encryption |
| E-mail security |
| Web page access controls |
| Types of Attacks | |
| Types of Attacks |
| Denial-of-service |
| Virus |
| Insider net abuse |
| Unauthorized access |
| Theft of proprietary information |
| Financial fraud |
| Sabotage |
| System penetration |
Why Security Is Important
While Internet banking is still in its infancy in India, banks are surely
getting networked to enhance operational efficiency and serve customers faster
and better. This essentially means that they are building networks to run
business-critical applications and interconnect branches throwing up several
security challenges. Today, banks in India are predominantly using leased lines
from BSNL and VSATs to connect their branches. Many banks use VPN and IPSec
tunnels created on these networks. The private nature of most of the bank
networks may make them less vulnerable than an Internet banking network.
However, with more and more devices and channels (ranging from ATMs, teller
systems in newly ‘wired’ branches, and e-mail systems to connections to
online financial hubs) being connected to bank networks even these private
networks could be at risk. As Michael Payne of Cisco Systems puts it,
"Indian banks face some unique challenges, particularly in the explosion of
locations and devices that are being connected to relatively new networks. The
projected increase in the number of ATMs and connected or ‘wired’ branches
will pose some challenges for the network and application administrators."
|
/vnd/media/post_attachments/2fbfde5019ed3bd3021581aab5f53e1ccf907ec41ed8c1c15a9f150b5a0de7d2.jpg)
V.Adoption of Web technologies enabling organizations and customers to interact
and transact with banks has increased the complexity of applications and
networks. "Increased levels of outsourcing and greater demands being placed
on application and network infrastructures now demand that banks take a more
holistic and proactive view towards their information security policies and
practices," urges Payne.
Banks need security, points out Vaidyanathan Iyer, national manager, security
solutions, Computer Associates, to ensure that transactional integrity and
protect the privacy of customers’ non-pubic information, to detect and check
ATM/credit card frauds and money laundering, protect asset information and
regulate access to internally sensitive data.
Where Are the Threats Coming From?
A bank network is vulnerable to both internal and external attacks. Some of
the widely prevalent security threats in the financial sector are
denial-of-service, virus, insider net abuse, unauthorized access, theft of
proprietary information, financial fraud, sabotage, and system penetration.
Apart from external agents, even employees of a bank carry out many of these
threats. Some of these threats, if executed, could even mean complete loss of
credibility and thus the competitive edge. Anurag Srivastava, chief technology
officer, Wipro Infotech, observes that in today’s environment, a major threat
that any networked bank could face would be from a denial-of-service
perspective. "Most of the attacks that are targeted are causing
denial-of-service, and thereby disruption of service," he says.
| WAKE UP TO SECURITY THREATS | |
| Network connectivity and security should be seen as one |
| A bank network is vulnerable to both internal and external attacks; rival banks can run down unsecured networks |
| The need to address those security concerns holistically has not been felt yet |
| Designing a network and information security policy is as important as deploying a network |
"Banking systems with their volumes of data and opportunity for theft
are a natural attraction to hackers. By installing direct transaction servers,
online banks have in effect opened the door for customers and hackers to
confidential internal networks," Suresh Srinivasan, GM, enterprise
networking solutions, Ramco Systems, points out.
But Have Indian Banks Realized All This?
Network managers at most of the Indian banks are usually aware of the kind
of security threats their networks could be facing. Many banks, mainly MNCs,
private banks and some public sector banks, have gone in for security audits,
defining security policies, and deployments of security tools. The RBI
guidelines on security have also resulted in banks becoming stricter in
evaluation of security techniques.
|
/vnd/media/post_attachments/95845c170d8d18721b94ee5c1709a71e972956d3fe91c7cd201b5c4e4587e3e0.jpg)
Michael PayneRBI guidelines have ensured that security spending would be a key focus area
of the IT budgets of banks. A comprehensive security assessment and user
acceptance test is a part of the security deployment procedure. This is reviewed
on a periodic basis.
However, the need to address security concerns holistically has not been felt
yet by a majority of the Indian banks. Most banks, barring the foreign ones, do
not seem to care much about security.
|
/vnd/media/post_attachments/dd3c326c1066fc8b6c482927c4436cc2399aaf81a349b105512660da7f3989f8.jpg)
Swapan JohriThere are many reasons cited for this. The most common excuse made is that
the Indian banks, barring foreign banks operating in the country or a couple of
private ones, have begun networking or going online only recently. As such, they
should be given some time before they think about security. It appears they are
either too engrossed in the process of building the network or too enamored by
its pros that they have little time to think of the cons of not implementing
adequate security. The current approach seems to be–let the networks be in
place first, security can come later. While connectivity, the foundation on
which any network runs, has been recognized as a critical component of the
modern banking business, network and information security is yet to get that
recognition. One reason for this may be the fact that connectivity and security
are seen as two different things. At the most, at this point, many banks appear
to believe that putting up tools like firewall and encryption would make their
networks adequately secure. This is best reflected in the fact that most of the
tenders put out by various banks inviting bids for building their networks talk
only of firewalls or sometimes encryption.
|
/vnd/media/post_attachments/5a6d152d42a5a11f9b0f7b8d8525fcaf5715062f77dc6e47c92c626ae28d664e.jpg)
Dr Anurag Srivastava Then there are others who are sure they do not really face any threat and
therefore cannot justify putting up a security system that could be a costly
affair. Among other things, this is also because of the fact that banks often do
not have any clue when it comes to calculating RoI on security. "Even
though Indian banks are slowly realizing the importance of security, the fact
remains that not a single Indian bank has a comprehensive security system in
place," claims Swapan Johri, HCL Comnet. As someone driving the security
business of the leading network integrator, Johri often finds it difficult to
convince banks why implementing an adequate security mechanism is as important
as deploying and running a network. "Even the large private sector banks
that have set up networks are not going into detail as far as security is
concerned," Lt Col HS Bedi, MD, Tulip IT Services, the Delhi-based network
integration company, observes.
|
/vnd/media/post_attachments/afe63f412128cc665c972fdc34d271d692b5d6f21611c4bf197271aa2f53ada4.jpg)
N RajendranHowever, N Rajendran, an assistant professor with Institute for Development
and Research in Banking Technology (IDRBT), is of the view that it would be
premature to comment on the security of bank networks in India, given the fact
that networking is happening only now. "Banks are designing policies and
some have implemented them too," he says. IDBRT has been closely involved
in helping Indian banks design and implement security systems.
What Banks Need To Do?
It is true that networking is just beginning to happen in Indian banks. As
such, except for a few, most of the Indian banks are neither hooked on to a wide
area network nor transacting business on the Internet. It is argued that all
this makes them less vulnerable largely because of the fact that they are not
connected to the outside world to be prone to hacker attacks or
denial-of-service attacks. It would be pertinent here to emphasize that banks
also face a major threat from internal sources. The ability to control users on
the network is a key challenge and given the increasing technology-savvy
employee base, exercising control over them and their activities is challenging.
Growing computerization makes them more vulnerable to cyber warriors and data
thieves. A 1997 presidential commission on the US defense identified insiders as
‘the most persistent security threat’ to banking and finance. Terrorists
known as ‘sleepers’ could get jobs at banks, where they could embezzle or
destroy data.
It is because of this that designing a network and information security
policy is as important as deploying a network. It is immaterial whether that
network is a LAN or a WAN, and whether it is connected to the Internet or not.
Whatever the case, a bank needs to have a dynamic network and information
security policy in place as the very foundation of its security system. A
policy-based security implementation should go along with the deployment of
network. Of course, the scale of security deployed would always depend on the
size and nature of the network.
Once a policy is in place, it must be ensured that it is implemented.
"Most of the banks miss a bigger picture when it comes to security. IT
security is not just installing security gadgets but a process by itself. Any
security outlook for an organization calls for three things–probing,
protecting and policing," Ariya Parasamanesh of NCR emphasizes.
Parasamanesh says that many of the banks already have a security policy
developed by some vendors and themselves, but they do not have a methodology to
ensure that these policy recommendations are implemented correctly and these
policies are regularly monitored. "We have seen banks spending millions of
rupees in identifying the probable vulnerabilities and develop a thorough
security policy but fail to implement these policies," he says.
|
/vnd/media/post_attachments/dd01fe5b937ae827d918df1ef2ce4bf8d607045af59e4540b44635daf30604e0.jpg)
Vaidyanathan IyerCA’s Vaidyanathan Iyer makes an interesting observation. He observes that
since the first computer networks were deployed, financial institutions have
focused almost exclusively on protecting against technology threats, instead of
helping to solve business issues. "However, security is much more than a
network protection issue–it must help the institution to achieve its business
goals of providing more online services to a growing number of customers and
increasing secure transactions with other banks and organizations," he
says. He points outs that the solution lies in an integrated approach that
effectively manages security threats by addressing three key challenges–access
management, identity management, and threat management.
What Vaidyanathan says cannot be possible unless the top management is
involved in the implementation and management of security. The impetus for a
security policy must come from the top. "Senior managers must make it clear
that an essential part of the bank’s success will come through the proper and
best use of information. They should stress that information needs to be
properly managed and protected and that senior management will be actively
involved in drawing up a security policy to do this," emphasizes Suresh
Srinivasan of Ramco Systems.
|
/vnd/media/post_attachments/44741080528f13ce635f2fe49d16edef454a5c86e4c04c51926b68c8371759dd.jpg)
Suresh SrinivasanManagement needs to make the policy reflect the ethics and philosophy of the
company and to show staff that the board is committed to making it work. They
also should make it clear that they expect everyone in the company to share this
commitment. In many companies, the IT department does formulating and managing
the security policy. This approach can create a number of problems. First, the
IT department’s view of security may not necessarily reflect what senior
management would want. And second, if IT staff has to implement and enforce the
policy, it can put them in a very difficult position. Other staff may simply not
recognize that they have the authority to dictate to them and may refuse to
cooperate.
Security policies have a number of human, financial and legal consequences.
Because of this, great care needs to be taken in formulating particular
policies, in creating the standards that will actually carry out the policies,
and in presenting that information to staff.
Cisco’s Payne stresses on the need for addressing security from a systems
point of view rather than from a products point of view. "Many banks will
have an attack, go purchase new products, and then suffer a new attack. The
banks need to plan for security as a whole solution, not just a bunch of
boxes," he says.
Most banks usually have three separate departments. The first is the
networking team, which is usually in charge of the network hardware. They are
told to make it fast and cheap. The next team is the applications team, which is
in charge of the banking software. They are told to make it fast and simple. The
last team is the security team, which is in charge of the firewalls, and other
security devices. They are told if anyone breaks in, then they might lose their
jobs. "Such approach does not work. You have three independent groups, all
with conflicting goals and agendas working to deploy banking," Payne
observes and suggests that the bank management should combine these teams to
work together to provide a balanced solution.
|
/vnd/media/post_attachments/7074b3d34398b3ad68b413b4dd7c36c7f630cb6838e0bfa8ba5ada197405cfdb.jpg)
Lt Col HS BediNCR, which has decades of experience in design, implementation and
consultancy of security for enterprise networks, states that effective security
management practice can be characterized by the preservation of the standard
information security services. These would include confidentiality (ensures that
applications and data are accessible to only the users intended and authorized
to have access), integrity (guarantees the accuracy of the data) availability
(ensures that authorized users have access to applications and the data when
required), authentication (guarantees that the application users are who they
claim to be) and non-repudiation (proves that the originator of the data and
user of the application did perform the transaction).
Implementing a comprehensive security system does not always mean costly
investment in fancy tools and technologies. Many a time what could work is
simply the proper management of existing resources from a security perspective.
Investments in tools and technologies should be made depending on vulnerability
assessment and the threat perception.
The key message that banks need to lap up is that they should first have a
security policy in place, then implement it vigorously in detail and integrate
that policy into their business goals. And to successfully achieve all this, the
top management must be involved and business managers must be encouraged to
realize the importance of security.