Cyber Risk : Nivedita Dwivedi

Emerging Deputy General Manager

Member of Faculty
College of Agricultural
Banking

Trends
The world
that we live
in !
Certain Statistics

5,60,000 new malware pieces The cost of cybercrime is

are detected daily. There are predicted to grow to $10.5
more than 1 billion malware trillion by 2025, according to
programs out there. Every Cybersecurity Ventures' "2023
minute, 4 companies fall Official Cybercrime Report,"
victim to ransomware attacks. sponsored by eSentire.
Key Entry Points – Verizon’s
Data Breach Investigation
Report, 2023
Three key entry paths – Credentials, phishing,
exploiting vulnerabilities
 • Hackers : Black, white , grey !
• Curious Kids or enthusiasts
• Professional Criminals – Group of experienced
hackers
Who are • Malware programmers
these • Corporate Espionage
• Information warfare
people • Cyber Terrorism
• State Players
• Stake holders – Employees, Vendors?
 • Cybersecurity is the practice of
protecting systems, networks, and
programs from digital attacks.
These cyberattacks are usually
aimed at accessing, changing, or
Cybersecurity destroying sensitive information;
extorting money from users; or
interrupting normal business
processes.
Goals of Cybersecurity - CIA
Cyber Threats
Malware

Ransomware Viruses Worms Trojans BOTS

• Ransomware is a • A computer virus • Worms are • A Trojan is • Malicious bot is

type of malicious is a type of standalone another type of self-propagating
software that malware that software and do malware named malware designed
threatens to propagates by not require a after the wooden to infect a host
publish the inserting a copy of host program or horse that the and connect back
victim's data or itself into and human help to Greeks used to to a central server
perpetually block becoming part of propagate. infiltrate Troy. or servers that act
access to it unless another program. • A worm enters a • Deleting files, as a command
a ransom is paid. • It spreads from computer through stealing data, or and control (C&C)
one computer to a vulnerability in activating and center for an
another, leaving the system spreading other entire network of
infections as it malware, such as compromised
travels viruses devices, or
"botnet
Phishing
Phishing
Types
Man in the middle
Password Attack Types
Distributed Denial of Service
How to remain Safe - PPT
Cyber Security Framework for UCBs
Cyber Security Framework for UCBs
• Basic Cyber Security Framework for Primary (Urban) Cooperative
Banks – October 19, 2018
• Comprehensive Cyber Security Framework for Primary (Urban)
Cooperative Banks – A Graded Approach – December 31, 2019
Level I Level II Level III Level IV

• All UCBs • Sub-members of CPS • At-least one of the • Members/sub-

and satisfying at least following members of CPS and
one of the following • Direct members of satisfy at-least one of
• Internet banking CPS the following
• Mobile banking • Having their own ATM • Having own ATM
• Direct member of switch switch and SWIFT
CTS/IMPS/UPI • Having SWIFT interface
interface • Hosting Data Centre
or providing support
to other banks
 Inventory • Maintain details of assets and classify based on
Management criticality
• Classify data/information based on sensitivity

Basic
of business IT criteria of information and appropriately manage
and provide protection
assets

Cyber Preventing • Centralized inventory of authorized software,

Security access of
unauthorized
mechanism to control/block/prevent installation of
unauthorized software on PCs, laptops,
workstations, servers etc.

Controls for software • Internet usage restricted to stand-alone PCs

UCB Environmental
• Securing physical location of critical assets,
providing protection from natural and man-made
threats
controls • Monitoring of breaches of environmental controls
relating to temperature, water, smoke, access
alarms, service availability alerts, access logs etc.
 Network • Default passwords to be changed after
installation
Management
Basic
• Critical infrastructure to be designed with
and Security adequate network separation controls

Cyber • Firewall configurations should be set to the

Security
highest security level and evaluation of critical
Secure device (such as firewall, network switches,
security devices, etc.) configurations should be
Configuration done periodically

Controls for
UCB Anti-Virus and
• Systems and processes to identify, track,
manage and monitor the status of patches to
servers, OS and application software running at
Patch the systems used by the end users
Management • Preferably centralized management of anti-virus
updates
Basic Cyber Security Controls for UCB
• Disallow administrative rights on end-user PCs
User Access • Complex passwords
Control/Management • Disable RDP
• Centralized system to monitor administrative access to critical systems

Secure Mail and • Secure mail and messaging systems

• E-mail server specific controls
Messaging Systems

• Should not be permitted as a rule

Removable Media • Get the removable media scanned for malware/anti-virus prior to providing
read/write access
 • Board/Management to be kept updated at least once
User/Employee/Management a year
Awareness • End user awareness – not to open an attachment

Basic
Customer Education and from unknown sources
Awareness • Customer education

Cyber
Security
• Clear SLAs with respective responsibilities and
Vendor/Outsourcing Risk grievance redressal mechanisms
Management • Periodic review

Controls for
UCB • Take periodic back up of the important data and
store this data ‘off line’ (i.e., transferring important
Back-up and Restoration
files to a storage device that can be detached from a
computer/system after copying all the files)
Comprehensive Cyber Security
Framework
 Duly approved by the Board/Administrator
Board
approved Cyber Security Policy to be distinct from the IT policy/IS
Policy of the UCB
Cyber • > Risks from cyber threats

Security > Measures to address/reduce these risks

Policy • > Technologies adopted, delivery channels, digital
products being offered, internal and external threats etc.
• > Rate each of these risks as Low, Medium, High and Very High

Inform RBI within 3 months

Cyber Crisis Management Plan
• Since cyber risk is different from many other risks, the traditional BCP/DR (Business Continuity
Plan/Disaster Recovery) arrangements may not be adequate
• CERT-In (Computer Emergency Response Team – India, a Government entity) has been taking
important initiatives in strengthening Cyber Security by providing proactive/reactive services
and guidelines, threat intelligence and assessment of preparedness of various agencies in
different sectors, including the financial sector.
• CERT-In has also come out with National Cyber Crisis Management Plan and Cyber Security
Assessment Framework.
• UCBs may refer to CERT-In/NCIIPC/RBI/IDRBT guidelines as reference material for their
guidance.
 • Implement bank specific email domains
(example, XYZ bank with mail domain xyz.in)
with anti-phishing and anti-malware,
DMARC controls enforced at the email
solution.
Level -1 • UCBs shall put in place two factor
authentication for accessing their CBS and
Controls applications connecting to the CBS with the
2nd factor being dynamic in nature.
DMARC(Domain Based
Message Authentication
Reporting and Conformance
Two Factor
Authentication
Level -1
Controls
There should be a robust password management policy in place, with specific emphasis
for sensitive activities like accessing critical systems, putting through financial
transactions. Usage of trivial passwords shall be avoided. [An illustrative but not
exhaustive list of practices that should be strictly avoided are: For example, XYZ bank
having password as xyz@123; network/server/security solution devices with passwords as
device/solution_name123/device_name/solution@123; hard coding of passwords in plain
text in thick clients or storage of passwords in plain text in the databases]
 Level -1 Controls

Educate employees to strictly avoid clicking any links

received via email (to prevent phishing attacks).

Put in place an effective mechanism to report the cyber

security incidents in a timely manner and take
appropriate action to mitigate the incident. UCBs shall
also report all unusual cyber security incidents to CERT-In
and RBI.
Level 2 Controls
Application Security Life Cycle (ASLC)
• The development/test and production environments need to be properly segregated.
• Software/Application development approach should incorporate secure coding principles,
security testing (based on global standards) and secure rollout.
User Access Control / Management
• Provide secure access to the UCB’s assets/services from within/outside UCB’s network by
protecting data/information at rest (e.g. using encryption, if supported by the device) and
in-transit (e.g. using technologies such as VPN or other standard secure protocols, etc.)
Periodic Testing
• Periodically conduct Vulnerability Assessment/ Penetration Testing (VA/PT) of internet facing
web/mobile applications, servers and network components throughout their lifecycle (pre-
implementation, post implementation, after changes etc.). VA of critical applications and those on DMZ
shall be conducted atleast once in every 6 months. PT shall be conducted atleast once in a year.
• UCBs having their CBS on a shared infrastructure of an Application Service Provider (CBS-ASP) shall get
their CBS application including the infrastructure hosting it subjected to VA/PT through the CBS-ASP.
• Application security testing of web/mobile applications should be conducted before going live and
after every major changes in the applications.
• The vulnerabilities detected are to be remedied promptly in terms of the UCB’s risk
management/treatment framework so as to avoid exploitation of such vulnerabilities.
• Penetration testing of public facing systems as well as other critical applications are to be carried out by
professionally qualified teams. Findings of VA/PT and the follow up actions necessitated are to be
monitored closely by the Information Security/Information Technology Audit team as well as Top
Management.
 Anti-Phishing - Subscribe to Anti-phishing/anti-rogue
application services from external service providers for
identifying and taking down phishing websites/rogue
applications.

Level 2 Data Leak Prevention Strategy - Develop and implement a

controls
comprehensive data loss/leakage prevention strategy to
safeguard sensitive (including confidential) business and
customer data/information. Similar arrangements need

continued to be ensured at vendor managed facilities as well.

Audit Logs -Capture the audit logs pertaining to user

actions in a system. Such arrangements should facilitate
forensic auditing, if need be. An alert mechanism should
be set to monitor any change in the log settings
Incident Response and Management

Put in place an effective Incident

Response programme. UCBs must have a UCBs are responsible for meeting the
mechanism/ resources to take requirements prescribed for incident
appropriate action in case of any cyber management and BCP/DR even if their IT
security incident. They must have infrastructure, systems, applications, etc.,
written incident response procedures are managed by third party
including the roles of staff / outsourced vendors/service providers.
staff handling such incidents.
 • Criteria-
UCBs having at least one of the criteria given
below:
• Direct members of CPS
• having their own ATM Switch
Level 3 • having SWIFT interface

• In addition to level II controls, Additional

controls include Advanced Real-time Threat
Defence and Management, Risk based
transaction monitoring
 • Criteria-
• UCBs which are members/ sub-members of CPS and
satisfy at least one of the criteria given below:
• having their own ATM Switch and having SWIFT
interface
• hosting data centre or providing software support to
other banks on their own or through their wholly
Level 4 owned subsidiaries
• In addition to level III controls, Additional controls
include setting up of a Cyber Security Operation
Center (C-SOC) (either on their own or through
service providers), IT and IS Governance Framework,
Participation in Cyber Drills, Forensics and Metrics,
Chief Information Security Officer etc.
Customer Protection – Limiting Liability of
Customers of Co-operative Banks in
Unauthorised Electronic Banking
Transactions

December 14, 2017

Summary of customer’s liability
Types of cases Time taken to notify the bank from the Customer’s liability
date of receipt of communication from
bank
Irrespective of whether or not the Zero liability
Contributory fraud/ negligence/deficiency on the part of the bank transaction is reported by the customer

Three working days Zero liability

Third party breach where the deficiency lies neither with the bank nor with
the customer but lies elsewhere in the system

Bear complete loss until he

Where the loss is due to negligence by a customer, such as where he has reports the unauthorised
shared the payment credentials transaction to the bank – after
that bank will bear the loss
Four to seven working days Transaction value or amount
Where the responsibility for the unauthorised electronic banking mentioned in the Circular
transaction lies neither with the bank nor with the customer, but lies
elsewhere in the system

All cases Beyond seven working days As per bank’s Board approved
policy
Best practices in IT Security in
Banks and Cyber Hygiene
Best practices in IT security in
banks
 • Get a good trainer- You may consider finding an
appropriate training institute or train one of your staff to
become the trainer.
• Different people, roles and posts require different
scopes, types and levels of training. Plan for the
Cyber different training needs of staff.
• Consider periodically using posters or issuing
Security reminders to your staff about the importance of
information security.
Awareness Consider providing training under the following
scenarios:
• When a new employee joins your team, he/she is
informed about the security policies of your company
by briefing or orientation.
• Work to improve the security knowledge of all staff.
• Refreshment training should be conducted at least once
a year.
 • Passwords should be set as complex and lengthy, and users should
not use same passwords for all the applications/ systems/ devices.
• Internet usage, if any, should be restricted to identified standalone
computer(s) in the branch of a UCB which are strictly separate from
the systems identified for running day to day business. If allowed in
any of such end points, the same should be adequately secured
through proxy servers on an ongoing basis.
• Put in place systems and processes to identify, track, manage and

CBS best
monitor the status of patches to servers, operating system and
application software running at the systems.

practices • Remote access to computers/servers/other IT systems over a

network or over the internet should be always disabled and should
be enabled only with the approval of the authorised officer of the
UCB. Logs for such remote access shall be enabled and monitored.
Such access should be immediately stopped, if logging and effective
monitoring mechanisms are not implemented.
• Implement appropriate (e.g., centralised) systems and controls to
allow, manage, log and monitor privileged/super user/administrative
access to critical systems.
• The end-users should never click link or open or download an
attachment from email received from unknown sources.
 • UCBs shall put in place two factor authentication for
accessing their CBS and applications connecting to the
CBS, with the 2nd factor being dynamic in nature.
• CBS should facilitate Role Based Access Controls
(RBAC).
• All the passwords should be securely stored.
• The password complexity should be enforced as per
CBS best password policy of the bank. Further, password should
be mandatorily changed after first login by the user. Also,
practices the password should be mandatorily changed at defined
intervals.
• CBS should allow only one active session for the user.
• Data in the critical fields should be appropriately masked
for front-end display through CBS application. (Display of
the critical fields should only be to the extent required)
• CBS should have the facility to generate a list of all
internal accounts (active and inactive) at any point of
time.
 Disable a user's account or remove a user's privileges once he/she
Disable leaves the bank, or if the role of that person has changed.

Ensure that everyone has to login and logout when accessing your
Ensure system. The system should provide an automatic logoff feature in
case user activities are idle for a pre-selected time period.

Access Deactivate Deactivate a user account if a login attempt fails for multiple
consecutive times.

Control-
Tips Use Use passwords that are difficult to guess. Learn how to properly
handle passwords.

Consider using biometric technology for authentication e.g.,

Consider fingerprint, face recognition or smartcard technology.
Cyber Hygiene
 • Cyber hygiene refers to the practices and
steps that users of computers and other IT
devices take to maintain system health and

What is improve online security.

• These practices are often part of a routine to

Cyber ensure the safety of identity and other details

that could be stolen or corrupted.

Hygiene • Most of the cybersecurity breaches take place

by exploiting end user and end point
vulnerabilities, making Cyber Hygiene a key
element in overall Information Security.
Using Email Safely
• DO'S

• Do scan all email attachments for malwares before

opening them, especially those files with extensions
.exe, .com, .bat, etc.
• Do disable automatic processing of email attachments
in your Internet email software.
• Do consider controlling spam by using email filtering
software that allow users to block or screen out spam
using simple filtering rules.
• Do use separate email addresses for different
purposes whenever feasible.
Email
• DON'TS
• Don't open or forward emails and email attachments from unknown sources.
• Don't mail-bomb, forward or reply to junk email or hoax messages. This may
result in more incoming junk email than before.
• Don't respond to emails from unknown senders.
• Don't expose your email address on public websites such as search engines,
contact directories, membership directories, newsgroup postings or chat rooms.
• Don't use an email address that contains any potential dictionary entries or
common names.
• Don't forward chain email messages.
Major Types of Phishing
Attack & response:

• Ensure the website that you are

sharing your personal/financial
information with is secure. A
secure website’s URL should
always begin with “https”
instead of “http”. Also important
is the presence of a lock symbol
on the website (see figure a).
Clicking on the lock icon should
display the digital certificate that
verifies the authenticity of the
website.
Major Types of
Phishing Attack &
response::
Major Types of
Phishing Attack &
response::
 • Change passwords at regular intervals.
• Install antivirus on your devices and install updates
whenever available.
For device / • Always scan unknown Universal Serial Bus (USB) drives
computer / devices before usage.
• Do not leave your device unlocked.
security • Configure auto lock of the device after a specified time.
• Do not install any unknown applications or software on
your phone / laptop.
• Do not store passwords or confidential information on
devices.
 • Always use virtual keyboard on public devices since the
keystrokes can also be captured through compromised
For safe devices, keyboard, etc.
• Log out of the internet banking session immediately
internet after usage.

banking • Update passwords on a periodic basis.

• Do not use same passwords for your email and internet
banking.
• Avoid using public terminals (viz. cyber cafe, etc.) for
financial transactions
 Cyber security threats to social networking

Privacy issues may arise if users reveal too much personal information.

Information posted online usually cannot be retracted because it may

Secure be saved, or screen captured by others.

Social Attacker could make use of user’s personal information to undertake

social engineering attack, password guessing and other malicious
Networking activities.
Social networking service providers typically do not verify the identity
of new members, such that people on a social networking platform
may not be who they claim to be which can pose additional risks.
Attackers could distribute malware and malicious code more easily due
to the sharing nature of social networking.
 • Cyber Security Culture (CSC) refers to the
knowledge, beliefs, perceptions, attitudes,
assumptions, norms and values of people
regarding cybersecurity and how they manifest
themselves in people’s behaviour with
Cyber information technologies.
• Encompasses familiar topics including
Security cybersecurity awareness and information
security frameworks but is broader in both
Culture scope and application, being concerned with
making information security considerations an
integral part of an employee’s job, habits and
conduct, embedding them in their day-to-day
actions.