1 / 37

Cyber Security for financial services

Cyber Security for financial services. Submitted by S. Deepalakshmi Assistant Professor in Computer Science Rajapalayam Rajus’ College Rajapalayam. Business has been aggregating data and risk at an unprecedented rate…. 5. Fully Integrated information based Business.

regand
Download Presentation

Cyber Security for financial services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security for financial services Submitted by S. Deepalakshmi Assistant Professor in Computer Science Rajapalayam Rajus’ College Rajapalayam

  2. Business has been aggregating data and risk at an unprecedented rate… 5. Fully Integrated information based Business 4. Technology Integration 3. Transactional systems Degree of Data Digitization 2. Storing Information • Messaging Spectrum of Risk

  3. And our physical infrastructure has become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure

  4. We have developed the myth that technology can be an effective fortress – we can have security Traditional focus on: • Better Firewalls • Boundary Intrusion Detection • Critical Offsite Capacity • Compliance Certification False myths: • IT staff = security staff • Compliance failure is the main source of risk • Being compliant = being safe

  5. Some types of Cyber Threats Source: analysis, Dr Irv Lachov

  6. Drivers: fear and impact Attacks are increasingly easy to conduct Email propagation of malicious code DDoS attacks “Stealth”/advanced scanning techniques Increase in worms Sophisticated command and control Widespread attacks using NNTP to distribute attack Skill level needed by attackers 2008 Widespread attacks on DNS infrastructure Attack sophistication Executable code attacks (against browsers) Anti-forensic techniques Automated widespread attacks Home users targeted GUI intruder tools Distributed attack tools Hijacking sessions Increase in wide-scale Trojan horse distribution Internet social engineering attacks Widespread denial-of-service attacks Windows-based remote controllable Trojans (Back Orifice) 1990 Techniques to analyze code for vulnerabilities without source code Automated probes/scans Packet spoofing Source: SE/CERT CC

  7. The proliferation of capability into the hacker/criminal world has enabled a blurring of actors and motivations – a major challenge for any future international regime for controlling national state cyber competition

  8. Agenda • Genesis of INFINET & Architecture • Banking Applications - Intra Bank Applications - Inter Bank Applications • Network Security Components • Enterprise-wide Network Infrastructure • Financial Networks • Security Targets

  9. Genesis of INFINET & Architecture In the year 1994, the Reserve Bank of Indiaformed a committee on "Technology Up gradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology up gradation and development of a reliable communication network.              As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of Indiain 1996 as an Autonomous Centre for Development and Research in Banking Technology. 

  10. Genesis of INFINET & Architecture In July 1996, in a meeting of the Chiefs of Public Sector Banks, chaired by the Governor of Reserve Bank of India, it was decided that a reliable nationwide communication backbone for the Banks and Financial Institutions be established. RBI entrusted the task of setting up this backbone to IDRBT. IDRBT established the VSAT based INFINET Network at the IDRBT Campus, Hyderabad. The Network inaugurated on  June 19, 1999. The Hub site is owned, managed and operated by IDRBT. Remote VSATs, installed across the country over 300 locations are owned by respective member banks.

  11. Genesis of INFINET & Architecture Terrestrial Network (Leased Line) connecting 21 cities commissioned and made operational in the year 2001. The terrestrial network seamlessly integrated with VSAT Network. The entire Network managed through Integrated Network Management System (UniCentre TNG and CISCO Works) 24 X 7 Network management from two locations namely at IDRBT, Hyderabad and RBI, Mumbai.

  12. INFINET (LEASED LINE) BACKBONE NETWORK CHANDIGARH JAMMU LUCKNOW JAIPUR DELHI KANPUR CALCUTTA BHOPAL AHMEDABAD GUWAHATI MUMBAI PATNA NAGPUR GOA BHUBANESHWAR PUNE BANGALORE HYDERABAD CHENNAI KOCHI 4 X 2 Mbps NMS at Hyderabad Links of Banks getting Connected to INFINET Network 2 X 2 Mbps Back up NMS at Mumbai

  13. Banking Application Intra Bank The transaction taking place within the Bank such as Funds Transfer, E-Mail, HR, Personnel and Administrator etc., Branches Head Quarter / Regional Office/Zonal Office / Specialized Branches Inter-Bank The transaction taking place between the Banks, between the Bank and Central Bank (RBI) such as Clearing and Settlement, Electronic Fund Transfers (EFTs) etc.,

  14. IDRBT Certifying Authority Fulfilling the need of trusted third party services in e-commerce Licensed CA by CCA, government of India Issues and manages digital certificates having legal sanctity under IT act 2000 for banking and financial sector Attained excellent standards complying with information technology act, 2000 Certificate policies and practices of high standards supporting certification services of IDRBT CA

  15. Banking Applications Structured Financial Messaging System (SFMS) Public Debit Office - Negotiated Dealing System (PDO-NDS) Electronic Fund Transfer (EFT) Real Time Gross Settlement (RTGS) Central Fund Management System (CFMS) Secure E-mail Secured Server EnDeSign Intra Bank Applications

  16. Registration Authority (RA) Entities nominated by Banks / FIs and trusted with IDRBT CA Serving as a point of contact for registration of users i.e., verification of subscribers’ credentials before issuance of certificates by IDRBT CA Officials appointed by Banks / FIs

  17. Digital Certificates • Classified according to the level of subscriber’s identity verification • Class 1, Class 2, Class 3 Certificates • Validity of one year • Legally valid under IT Act 2000 • for digital signatures, encryption and secure server

  18. CCA IDRBT CA IDRBT CA Repository RA RA RA Subscriber Subscriber Subscriber Subscriber Subscriber Subscriber IDRBT CA - PKI Hierarchy

  19. Safe storage of inter-bank messages • Direct Routing to destination Bank Gateway • Access Validation Central HUB INFINET IP Network (IIPN) • Safe storage • Direct Routing to intra-bank sites • Routing to ‘others’ Bank sites via Central HUB Gateway N Gateway 1 Gateway 2 • Common IIPN access point • Safe storage …. Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site SFMS Architecture

  20. IDRBT Mail Messaging System Primary Role : Mail Gateway for the Banking System Entire Mail system of Reserve Bank of India and 20 odd Public Sector Banks depend on IDRBT Mail gateway Bridge between the closed user group [INFINET] and the outside world for seamless to and fro transmission of mail Implemented with standard protocol - SMTP Ancillary services DNS services Domain Name Registration Web Based mail access from Internet

  21. Layer 3 Switch Leased Line Links V-SAT Links MMS  MMS setup  Mail Hub 5 Infinet MITHI  Servers Communicating With Infinet Servers Mail Hub 4  Servers Communicating With Internet Servers Mail Hub 1 STPI Link   Mail Hub 2 BSNL Link  Internet MITHI Mail Hub 3 De-Militarized Zone [ D M Z ] Link Proof PIX Firewall

  22. PDO-NDS system interfaces Members PDO-NDS system (P1A) Current PDO (settlement system) RBI as a Member PDO-NDS File transfer facility PDO DAD System administrator RBI Control user CCIL

  23. RTGS - Payment by Bank-A to Bank-B through the account maintained at Central Bank Bank - A Bank - B Bank level Server (BLS) Bank level Server (BLS) 1. Payment message 4b. Payment Notification (credit) 4a. Payment Notification (debit) Apex level Server of RBI 2. Settlement Request 3. Settlement Advice Deposit Account Department, RBI Reserve Bank of India

  24. Security Features in Bank Applications Digital Signature of initiating entity – for financial messages, transactions, e-mails, office orders, memos, circulars, etc. Signature to be verified by entity acting on the message Encryption (if necessary) when the message is on open channel Sending / Intermediate servers (acting as post box) can sign and / or encrypt as per the requirements of applications

  25. Network Security Components Firewall Intrusion Detection System (IDS) Virtual Private Network (VPN) Antivirus Solutions

  26. Security Solution Implementation for RBI (INFINET) Total Number of Locations: 38 Nos.

  27. INFINET Firewall implementation with Load Balancer Router PIX Firewall Load Balancer PIX Firewall L2Switch RBI Network

  28. Placement of IDS INFINET Server Sensor Network Sensor Mailserver Firewall DMZ Network Sensor Server Sensor Webserver Console RBI Network Database Server Server Sensor

  29. VPN Infrastructure through INFINET Delhi INFINET VPN Connections Internet Corporate Customer Secured Web enabled application Govt. Departments using connectivity through INFINET Chennai

  30. A Typical Secure Connectivity to Banks and Financial Institutions INTERNET EXTERNAL FW (S) INFINET FW (P) DMZ-2 DMZ-1 INTERNAL ISA SERVER Banks / Financial Institutions

  31. Gateway Protection Internet Internet Server or Gateway File Server Protection NetWare File Server Desktop PC Windows NT Server Desktop PC (Exchange/Notes /cc:Mail) Groupware Desktop Protection Mail Server Protection Enterprise Wide AutomaticMalicious Code Control System

  32. Multiprotocol Label Switching (MPLS) INFINET E A Ingress Router Payload IP 2 Payload IP 9 D Payload IP Payload IP 5 B Payload IP 3 C Bank 2 Label Switching Path

  33. In Label Out Label 9 5 9 Label swapping IP Address Out Label 192.4/16 9 192.4.2.1 Assign Initial Label Packet Traversing a Label Switched Path Ingress Router In Label Next Hop 212.1.1.1 2 In Label Out Label In Label Out Label 5 3 3 2 5 2 3 Remove Label Label swapping Label swapping E A C D B A : Ingress Router- Using FEC,this router groups all the packets having the destination address 192.4/16.And assigns a label(with a value 9) to the packet and forwards it to the next hop(B) in the LSP B: at this core LSR the in label gets swapped with the out label i.e, 9 is swapped by 5 C: 5 is swapped by 3 D: 3 is swapped by 2 E: Egress Router- here the label is removed and the packet is Forwarded using the conventional IP routing

  34. Satellite Transponder Enterprise-wide Network Infrastructure DP11 DP12 DP13 DP14 Local Router Zonal Route VSATs DP21 N2 N1 Network Backbone DPN22 DP24 DP23 Leased Line/ PSTN/ISDN/ Dial-up/ Radio Microwave N4 N5 VSATs VSATs N3 DP31 NSE Reuter DP32 SWIFT DP50 DP53 DP33 DP52 DP43 DP41 DP51 DP42

  35. Reuters Network SWIFT Network NSE Network Gateways and Integration with Other Financial Network Services G1 - SWIFT Network G2 - Reuters Network G3 - Stock Exchange Network G4 - Inter Banks/FIs G5 - Shared ATMs G6 - Clearing Operations Network G7 - Internet G2 G3 G3 G2 G1 G1 Corporate Network G2 G2 G2 G1 G1 G3 G3 G1 G3 Inter Banks/FIs Network G4 Shared ATMs Network G5 G4 G4 Clearing Operations Network G5 G6 G5 Internet G7 Financial Networks

  36. Application Security Password Security Physical Security E-mail Security Logical Security Internet Security Network Security Firewall Security Database Security Freeware Security Backup Security Intranet Security Operating System Security Router Security Service Providers Remote Access Security against Viruses Security Targets

  37. THANK YOU

More Related