VULNERABILITY ASSESSMENT
Contents
- Vulnerability
Assessment on Capitec Bank
- Asset Identification on Capitec Bank
- Cash
- Securities
- Loans
- Property
- Equipment
- Threat Identification:
- Attack Tree
- Banking Intangible assets
- Banking Tangible assets
- Weaknesses in intangible
assets
- Weaknesses in tangible
assets
- Risk Assessment
- Risk Mitigation
- Bibliography
Vulnerability
Assessment on Capitec Bank
Banks
need to protect their assets from any threat that may occur as well as proving
users with the guarantee that all their banking credentials are kept save. The customer confidentially policy ensures no
employee other than those who are authorized to; are to reveal any form of
information of a customer to any person who is not working for the bank.
Assets
are items that provide positive economic value towards the enterprise. For the
bank (Capitec Bank) this comprises of cash,
securities, loans, and property and equipment that allows it to operate.
Cash is the predominant factor when it comes to banking since it’s
the source that drives the bank to function. Banks also need to supply their clients with
the necessary setup of accounts and the availability of capital when they need
to use certain services for example: depositing, withdrawing, writing a cheque,
investing money, or requesting for a loan.
Banks also need to maintain a certain level of capital to ensure it can
maintain all its services and be able to pay for its own sustainability such a
its rent , water and lights etc. Every bank needs to have some sort of
contingency money in case they run sort of a service or just for increasing
safety. Banks need vault cash: cash that a bank keeps in its vault for
daily transactions, such as check cashing or cash withdrawals. It is considered part of a bank's reserve obligation to the Federal Reserve Bank.
Vault
cash is the cash that needs crucial security from unauthorized employees as
well as any person who may potentially want to steel it.
This includes all the security necessary to
protect the assets of the bank. Security systems such as network security are
used to control access of employees and encrypt secure transactions of user
information and to store all the information on distributed databases. Security
such as bodyguards may be necessary in certain banks to provide a sense of
security to clients and for people who come to the bank to deposit or withdraw
large amounts of cash.
Loans are the major asset for most banks. Banks provide loans in
order to secure a form of fixed income that clients need to pay. Loans can come
in the following forms, mortgages, credit cards and car loans. Loans include
the following major types:
·
Business loans
·
Real estate loans
o Residential mortgages
o Home equity loans
o Commercial mortgages
·
Consumer loans
o Credit cards
o Auto loans
·
Interbank loans.
Property can include the building wherein the business itself
operates or owns as well as the rights to certain services. The bank needs to
take care of its property in order to sustain itself and to provide a good
environment for clients and employees and this all contributes to bank
attracting more clients.
Equipment
is the equipment used in the bank to process all the transactions and
effectively be able to store user information. Equipment needs to be protected
and certain equipment needs to be duplicated to provide redundancy and this
increases the overall reliability of the system. Access to certain equipment
also needs protection for when a employee that doesn’t have the necessary skill
to operate the uses the equipment they may crash it or corrupt crucial files.
Equipment that needs protection is as follow: Bank vault, networking systems,
and computer systems that employees may use
Classification
of threats by category; Physical, cash, security, loan, property equipment
|
Categories
of threats
|
Capitec
Bank examples
|
|
Natural disasters
|
Fire, flood
,earthquake destroy can destroy the physical assets of Capitec bank
|
|
Espionage
|
|
|
Extortion
|
HR employee black
mailed into giving out sensitive data about top management
|
|
Hardware failure or
errors
|
Compromised computers
e.g. old computer systems, outdated operating systems. Firewall blocks all
network traffic
|
|
Sabotage or vandalism
|
Attacker sends
phishing pharming emails, adware etc. to employees. Visitors, contractors can
also plant malicious devices e.g. USB, chips, mouse, keyboard. Attacker
implants worms that erases files. The bank can be intercepted by thieves and
steal money, hardware sensitive documents too.
|
|
Software attacks
|
Screen capture,
session hijacking, Trojan and spyware. Botnets, Trojan, key logger, denial of
service attack compromising hardware and software.
|
|
Software failure or
errors
|
Security
bug in the open-source Open SSL cryptography library, Software update leads
to erroneous orders at Stock Exchange, Wrong counting at elections because of
use of different software, Bug prevents program from properly loading
|
|
Technical obsolescence
|
Programs don’t
function under new version of operational systems. Hardware computability to
advanced software upgrades.
|
|
Theft
|
Robbery, identity
theft, social engineering, atm interception. Desktop computers being stolen
due to lack of security measures.
|
|
Utility interruption
|
Electrical power is
cut off.
|
- Security
system
- Operating
system
- Database
management system
- Computer
software
- Property
- Atm
- Equipment
- Money
- Human
-
10
vulnerabilities most commonly found in e banking systems
Many
vulnerabilities vary in security levels, three common security levels high,
medium and low. The security determine how vulnerable the system might be.
Capitec is an innovative bank offering services to users. It is a South African
bank which is growing at a rapid pace. The bank has a good recovery system in
place. Capitec bank has a forum which includes the banks senior managers and
external security experts which focuses on identifying long-term security
risks.
Security
system flaws consist of the system vulnerabilities that can be exploited by
attackers. Unauthorized users being able to perform transactions. Internet
explorer flaw that can put users at risk as Microsoft has confirmed that the
flaw as a remote code execution vulnerability which can lead to user revealing
personal information to an attacker.
Configuration
flaws can play a very big role in the vulnerability of a system. Configuration
flaws is caused by the incorrect configuration of the operating system, the
DBMS, web servers and web application components. Using default configuration
can also serves as a configuration flaw because once an attacker know what kind
of operating system, the DBMS, web servers and web application components, it
will be easy for the attacker to infiltrate the system.
Unencrypted
data transfer can also causes a big problem because attackers can listen to
data and store it for malicious use. Insecure
configuration of cookie parameters can lead to data being stolen. Password policies can lead to
vulnerability. When user set their passwords and set weak passwords that can be
easily guess by users so passwords policies are important to force users to set
strong password example ( At least use one upper case letter, one number, one
special character and the length of the password must not be less than 8
characters)
Property is
one of the biggest asset of Capitec bank owns, with about 285 branches in
Gauteng alone it is vitally important to have proper structures in place to
secure the most valuable asset of the bank which is money. Property is
vulnerable to attacks like natural disasters, technical disasters and acts of
vandalism.
A.t.m’s are
prone to attacks as there are easily accessible. A.t.m bombing has been an
issue in the past in our country, measures should be put in place that even if
such happens the bank assets can be secure.
The equipment
enables the Capitec bank to function, loss or damage to the equipment will
cripple the functioning of the bank which can be cause by human errors,
technical obsolesce, hardware failure, sabotage and vandalism. Vaults serve as
the last resort of protecting the most valuable asset of the bank.
Most valuable
asset of the organization, it is more in vulnerability when it is when it is
move example from a shop to the bank. And less vulnerable when it is in the
vault where it is more secure.
This involves determining the damage that would result of an
attack and the likelihood that the vulnerability is a risk to the bank.
Below is a table for performing a Risk assessment on Capitec
Bank:
|
Threat
|
Vulnerability
|
Existing
Controls
|
Likelihood
of occurrence
|
Impact
|
Risk
level
|
|
Disclosure of Confidential customer information
|
Lack of employee understanding of information
security risk to the customer information
|
1) Information
security training
2) Information
security policy
|
Low
|
Low
|
Low
|
|
Hacking Capitec website
|
Attackers know that many people use Capitec website
for internet banking
|
Use the htts protocol to secure the website as well as ensure
encrypted sessions for users etc.
|
Low (banking websites are very secure these days)
|
High
|
Low
|
|
Braking into the bank
|
Attacks may storm the bank with weapons to rob the
bank
|
Security guards may be placed to provide some
security and well as systems such as alarms
|
Low (Banks these days have a one person entering
system that may not allow two or more attackers to storm the bank)
|
Low
|
Low
|
|
Natural Disasters
|
This may impact the whole bank
|
Store user data and crucial information in databases of-site or
upload to a server
|
Low
|
Low
|
Low
|
Risks
can never be entirely eliminated and banks should take the necessary steps to
try and diminish the risk by providing a form of extra (layering) security. By
creating a security posture it is good business practice and creates an
environment and standard that needs to be followed to provide excellent
security.
By
creating a baseline configuration it helps to evaluate systems against certain
conditions and to see whether it produces consistent results. After the
security posture is established it’s necessary to continually monitor the
systems through vulnerability scanning and penetration testing and this can
provide valuable information regarding the current state of the system. Once
vulnerabilities are exposed there should be certain plans to address these vulnerabilities
before any attackers may notice.
Hardening is another
technique used to eliminate as many security risks as possible. Hardening
techniques include:
·
Protecting
accounts with passwords
·
Protecting
management interfaces and applications.
After all the necessary
steps are taken to secure information there needs to be reporting.
BusinessDictionary.com, 2009. BusinessDictionary.com.
[Online]
Available at: http://www.businessdictionary.com/definition/risk-mitigation.html
Capitec, 2014. Internet
Banking Page. [Online]
Available at: https://www.capitecbank.co.za/
Federal Financial
Institutions Examination Council, 2010. BSA/AML Risk Assessment—Overview. [Online]
Available at: http://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm
Helmut Elsinger, A.
L. U. o. V. ,. D. o. B. S., 2010. Risk Assessment for Banking Systems. [Online]
Available at: https://www.fdic.gov/news/conferences/finance_banking/elsinger.pdf
MHA CONSULTING, 2013.
Four Types of Risk Mitigation and BCM Governance, Risk and Compliance
(GRC). [Online]
Available at: http://www.mha-it.com/2013/05/four-types-of-risk-mitigation/
Mitre, 2012. Risk
Mitigation Planning, Implementation, and Progress Monitoring. [Online]
Available at: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring
Wikipedia, 2014. Cash
management. [Online]
Available at: http://en.wikipedia.org/wiki/Cash_management
