2. INTRODUCTION
Major advantage of computer – data storage.
All data and information stored.
Minimizes paper work.
Networking of branches and banks provide service
through internet or mobile.
Expose the data across the globe.
Serious problem relating to data integrity and
security.
3. OBJECTIVE OF PROVIDING DATA SECURITY
1. To guarantee a certain level of availability of services.
2. To guarantee the integrity of the data exchanged and
stored.
3. To guarantee the confidentiality of the data
exchanged and stored.
4. To guarantee the authenticity of the user.
5. The data and the systems can be audited whenever
required and generate sufficient audit trails to detect
any misuse
5. ACCIDENTAL DAMAGES
Most common cause to computer installations, equipment
and data.
ENVIRONMENTAL HAZARDS
Spikes in power and improper grounding (earthing).
Excessive humidity, water seepage and the floods.
Radio transmissions affecting data transmissions.
ERRORS AND OMISSIONS
System design and process development.
Program maintenance and while carrying out correction
procedures.
Data entry at the time of terminal operations.
6. EFFECT OF ACCIDENTAL DAMAGES
Significant commercial consequences.
Required to pay a close attention to the planning of
computerized systems.
Opportunities of fraud may arise because of poor
systems design.
7. MALICIOUS DAMAGES
A computerized environment provides a number of
new opportunities for fraudsters.
Primarily due to the ease with which fraudsters can
hide their actions on computer systems
From disgruntled employees who wish to disrupt the
service
From individuals with wrong intentions to use
technology for perpetration fraud for financial gains.
8. EFFECT OF MALICIOUS DAMAGES
Interruption in banking services.
Services get affected immediately - links to automated
teller machines, POS or other electronic networks are
brought down.
Insufficient processing capacity to cope with the additional
load.
Lead to suspension of the banking facility unless adequate
contingency plans have been specified and tested
beforehand.
Consequential cost of serious system failure exceeds cost of
replacing damaged equipment, data or software.
Loss of time.
9. FRAUDS
Special program - utility program used to make
unauthorized changes to computerized records that bypass
the normal control facilities built into the computer
systems.
Unauthorized manipulation to programs or data that
bypasses password is to remove the relevant files from
primary location, transport these to another computer and
returned after manipulation.
Unauthorized amendments made to the payment
instructions prior to their entry into the computer system.
Unauthorized changes to programs made during routine
development or maintenance which cause program to
generate accounts or remove records of transaction.
10. CRYPTOGRAPHY (DATA ENCRYPTION)
Encryption – To maintain secrecy.
Ensures message is not altered fraudulently or accidentally
Plain text
Cypher text
Public key – Known by all the business partners
Private key – User alone knows
SYMMETRIC KEY MECHANISM
ASYMMETRIC KEY MECHANISM
11. CRYPTOGRAPHY
Internet
Ciphertext
Plaintext Encrypt Decrypt Plaintext
K K
User C = EncryptK (P) Server
P = DecryptK (C)
12. SYMMETRIC KEY CRYPTOGRAPHY
Single Key – Secret Key, Private Key, Symmetric Key
Used for both encryption and decryption of message.
Sender and recipient must possess same secret key.
Not useful on large networks like internet.
Useful when network is very small and parties are
already known to each other.
13. ASYMMETRIC KEY CRYPTOGRAPHY
KEY – series of characters which is fabricated carefully using
numerical values to encode a message.
– can be read by person in possession of that key or
any other related key.
This type of cryptography is very powerful and uses public
keys.
KEY SECRECY – Public key code are not the secrecy issues.
Private key must be secret and not shared with anyone.
Private key compromised – security is threatened.
16. STEPS INVOLVED IN PHYSICAL SECURITY
Make complete and detailed inventory of all hardware and
equipment.
Make use of alarm systems to prevent equipment being
stolen.
Regularly take backup of all software, data and databases
on a backup media.
Keep the backup in secure and protected place.
Encrypt confidential data/information.
Entry in office premises should be restricted
Proper systems for identification of outsiders in the
premises.
17. DOCUMENT SECURITY
Prepare inventory of all important records.
Identify persons responsible for different types of records.
Classify and store the records which are vital to the bank.
Dispose off all those records which are not required.
Transfer all important records to safe storage media.
Hard copies should be secured in plastic containers.
Off-site arrangement of storing all important records should
be there
18. LOGICAL SECURITY
Related with software access control.
Software resources and applications require to be protected.
Barrier to be maintained between the users and software
resources.
Access control to resources is based on 2 levels:-
Authorisation
Authentication of authorised person.
Data Base Administrator (DBA) provides rights to different types
of users to access particular software.
Authentication – Process of verification of identity of user who
is going to login into the system.
19. Some computer systems provide special levels of security.
Multi-access control – involved at
User level – Only authorised user can enter the program
Terminal level – If user knows password of the system
itself, he/she can go further.
Menu level – If the user knows the password for
reaching next level he can go further.
File level – If the user knows the password to manipulate
file, only he/she can do so
Application level – If the user knows the password for
running the application, only he/she can do so
20. Internal access control – Involve particular information like
date, time, identification of user, etc.
Limiting the number of unsuccessful attempt – System
gets locked when wrong password is entered for specific
number of times.
Limiting audit trail – Back up is created itself and even the
access situations can be known.
Limiting access of the users to directories – Access of users
limited only to particular directories or subdirectories or
files and packages.
Encryption of data and files – Can be opened only through
symmetric and asymmetric key.
21. NETWORK SECURITY
Data and resources are shared on LAN.
Network requires great deal of security from intruders.
Physical intrusion – When intruders has physical access to
nodes.
- Can use computer to get the network.
- Can remove peripherals from system
- From one system, data can be sent to another system
in unauthorised manner.
System intrusion – Intruder is a person, has some rights to use
user account.
- If no proper checks in system, intruder may enter different
packages to gain administrative advantages for which he is not
authorised.
22. Remote intrusion – When intruder tries to penetrate a
system from remote location across the network – Hacking.
BIOMETRIC SECURITY
Technique to measure physical characteristics which is
capable of verifying the identity of an individual
Two types:-
Physiological – More reliable
Behavioural
23. Physiological Technology – involves
Finger or Hand Pattern Recognition – Highest level of
identification; mature and reliable technology
Voice recognition – Pattern of pronouncing words;
frequency characterisation and mannerism taken into
account in these techniques.
Iris Recognition – Freshly taken video picture of iris is
compared with stored template.
Behavioural Technology – Signature recognition