This document provides recommendations for improving cyber security practices in financial institutions. It discusses the need to properly address cyber threats, develop effective security policies, and continuously monitor and improve weak areas of systems. Specific threats like insider misuse, errors, denial of service attacks, and crimeware are examined, and recommendations are given for mitigating each threat. Additional techniques suggested include implementing redundant systems, secure communications, browser addons, software updates, bounty programs, backups, authentication, encryption, and secure development practices. Real-world examples like the Carbanak attack demonstrate the ongoing risks, emphasizing the importance of proactive cyber security measures.

1. Cyber Security for Financial Institutions
Best Practices and Recommendations
By : Khawar Nehal
Applied Technology Research Center
http://atrc.net.pk
17 August 2016
For FPCCI seminar on cyber security

2. Agenda
What needs to be done
Why it needs to be done
How to do it
Trends and solutions
Other suggestions

3. What needs to be done
Recognition that the financial industry did not
prepare well for the cyber security threats.
Recognition that the financial industry shall be
offering online services in the future.
Accepting that depending on others to solve the
problem shall not work.

4. Why it needs to be done
The only constant in the universe is change.
Cyber security threats are likely to rise rather than
fall.
Security is possible if people decide to take full
responsibility of it.

5. How it needs to be done
Development of a security policy
Implementation of security policies which are
effective in maintaining security
Monitoring and control of weak elements in the
system.
Elimination of weak elements with more audited
new elements to allow for incremental
development.

6. Trends

7. Trends
Insider Misuse
Miscellaneous errors
Denial of Service
Crimeware

8. For : Insider misuse
Steps :
Make sure you have a security policy
Train everyone on the security policy
Get everyone to sign on the policy
Implement the policy
What you need to do is learn how to monitor for
illegal behavior or actions which violate the policy.

9. For : Miscellaneous errors
Generally these can be distilled down to two types.
Software errors which cause the software to not follow
the configuration.
Misconfiguration by the administrator or responsible
person.

10. For : Miscellaneous errors
If you train the administrators and
eliminate ALL bugs in your softwares, then
you shall eliminate a LOT of the issues
related to cyber security.

11. For : Miscellaneous errors
It is very important to eliminate ALL
vendors which provide a false
presentation of security when their
supplied systems are not able to
provide REAL security due to bugs
and low quality of development.

12. For : Miscellaneous errors
Think like the airforce.
Check everything.
If everything is not bug free, then do
not FLY.
In the financial industry, that means
stop rolling out services or systems
with bugs which are the cause of past,
present and future problems.

13. For : Miscellaneous errors
It shall not be long before the products
with errors and mistakes are not
blamed on the vendors anymore but
on the procurement.
So change before the change is
forced on to you.

14. Denial of service
Even if it is a DDOS, then all you need to do is
outsource your incoming connection to a DDOS
vendor. They shall handle it completely for you.
If the DOS threat is internal then you just combine
the first two items mentioned :
Insider misuse and Misc Errors
The solution to this combination shall solve the
DOS issue.

15. Crimeware
This requires training and awareness of the user.
For example everyone knows that if they lose
their credit card, they are to report it within 24
hours or risk losing money.
So they take it seriously.
Similarly, all communications related to
configurations (passwords, accounts, pin codes,
card numbers or whatever) needs to be confirmed
on the original phone numbers and emails of the
bank before any requests are entertained.

16. Crimeware
The main reason is that insecure computers are
allowed to access the bank systems via users.
Basic settings like checking for insecure or lax
systems before allowing your software to be used
shall help solve a lot of issues.
Examples include : looking for the existence of
uncommon applications in devices.
Devices include laptops, desktops, and mobiles.

17. Crimeware
As security awareness is increased, then the
financial institutions can steadily increase their
requirements for secure computing systems for
users.
The other approach is to offer better risk managed
services for those with more secure platforms.
An example is vendors with chip and swipe vs the
old magnetic strip only vendor risk management
difference in POS.

18. 4 major threats covered
So we have covered the trending 4 major threats
and some ways which can reduce them
significantly.

19. Question to ask
How can I reduce my security issues without
having to spend a lot of resources.
By asking this question, you shall be able to get a
lot of security results.
Without it, you shall have a lot of vendors pushing
a lot of noise and less security.

20. Why this question
This is the main question which system operators
and admins ask when they are faced with real
threats and it has worked over the last 60 years of
computing.
That is why industries like Internet services have
less security issues and other industries have
many loopholes.

21. Other techniques
Here is a list of methods which from our
experience help a lot towards increasing cyber
security.
Redundant systems from different suppliers.
Example : Learn how the root DNS servers are
implemented.

22. Know about communications
Private links are sold and marketed as private.
Examples include : Satellite links and Point to
Point radio links.
Spy satellites target point to point links and
satellites broadcast to 1/3 of the planet.

23. Addons for browsers like firefox
There are many useful security related addons to
firefox.
And firefox is designed in a safer manner than
most other browsers.
Train people and make them use the security
addons.
Active companies need to have these addons
report their findings instead of just protecting the
users.

24. Software updates
Protection of mission critical systems which
cannot be updated too frequently.
They need to be protected with application level
gateways implemented on continuously updated
systems.

25. Detecting weak systems
Any system parts which are weak in security need
to be identified and isolated. Then replaced with
other similar parts in functionality so that the
overall security can be improved.
If the introduction of a part causes more
successful and frequent attacks, then that part is
to considered weak and should be replaced.

26. Bounties for weaknesses
Offer bounties to find weaknesses in your system.
Get over your fear and do it.
Most people and companies do not do it
because of the fear that they have to change
their systems and modify their processes.
This is why we have cyber security issues.

27. Separate checking system
The system software and applications which are
to check the laptop, desktop or server shall reside
on a separate bootable SD card.

28. Shutdown compromised systems
If the checking system detects anomalies, then
the system needs to be quarantined and another
system shall be used in its place.
The data can be migrated from the old system to
the redundant or replacement system.

29. Clean image booting
Clean booting via virtual machine images,
snapshots, software like deep freeze and to be
checked Windows 10 methods need to be used
for making accessing computers have a low
chance of being compromised by other software
or configurations.

30. Application level gateways
Servers need protection via application level
gateways.
Especially weak softwares which may be
proprietary and all their bugs cannot be fixed.
Some device drivers could be available only on
insecure type softwares so they also need to be
protected via such gateways.
Application level gateways do not allow any type
of network traffic so they act like firewalls as far as
stopping unnecessary packets goes.

31. Authentic and Non auth backups
Similar to authentic primary data servers and their
replicated backup servers in the DNS root server
design.
Application servers can be designed in a similar
manner.
This way reliability of the services is increased.

32. Offline backups
Offline and offsite backups are mandatory.
Online backups can and will be compromised in
cases of cyber crimes.
Since the online backups are connected to the
original, it can be assumed that the attacker has
access to the online backups and can effectively
destroy them in case they are in position to
destroy the original servers.

33. Encrypted backups
All backups need to be encrypted. Especially
those which are stored physically offline and
offsite.
They shall be transported out physically.

34. Use Tough encryption
Do more efforts to implement the strongest
encryption techniques.
If possible to even go for theoretically
unbreakable encryption.
Automate the process so it becomes easier to
use.

35. Multifactor Authentication
Use more than just pass sentences.
Use SMS, smart cards and more.

36. Secure programming
Train people in secure and reliable programming.
Hire people who know secure and reliable
programming.

37. Continuously updated systems
There are many systems available which are
continuously updated.
Learn to use them and actually use them.

38. Summary
So now we have covered some other methods of
increasing cyber security.
To understand them in detail and to discuss your
specific business and its need please contact for
more details.

39. Contact information
Applied Technology Research Center
92-331-2036-422
khawar@atrc.net.pk
http://atrc.net.pk

40. Samples of attacks follows
And other suggestions

41. An example of a real attack
I had been getting sms messages and emails but
I did not know that the ordinary folk were being
successfully being looted by the billions.
Had we know earlier, we would have making
presentations earlier.
It was recently that the financial industry started
taking a stance and started asking the companies
to do something.

42. Carbanak
 Most cybercrime targets consumers and businesses, stealing
account information like passwords and other data that then
lets thieves cash out hijacked bank accounts or create fake
credit/debit cards
 Group now specializes in breaking into banks directly and
then use ways to funnel cash from the financial institution
itself
 Carbanak deployed malware via phishing scams to get inside
of computers at 100+ banks and steal between $300 million
to $1 billion

44. Not surprising
The attack method is related to social engineering and phishing so it
is not surprising.
What I am afraid is that we know of way more serious attack
methods which have been used.

45. Lack of updates
Common Vulnerabilities and Exposure (CVE)
Verizon Data Breach Investigation Report (DBIR)

46. Lack of updates
One half of the CVEs exploited in 2014 went from
publish to compromise in less than a month.
In addition, 99.9% of the exploited vulnerabilities
were compromised more than a year after the
CVE was published.

47. Lack of updates
A key point in the DBIR is that a CVE being added
to Metasploit is probably the single most reliable
predictor of exploitation in the wild. This reinforces
that patching is a significant concern and applying
patches quickly and efficiently reduces the threat
landscape by a significant amount.

48. Dependence causes weakness
Increased reliance upon technology service providers weakens the
financial institutions with regards to cyber security.
Institutions need to take responsibility for all outsourced technology
services.
Institutions must eliminate single points of failure. Dependence on
one vendor for mission critical systems is not acceptable anymore.
Service providers need to prove resilience (especially in the face of
cyber events) and security. One way is to demand SLAs as a
minimum.
Plans for redundancy and backups need to be made to survive
critical vendor and infrastructure failure.

49. A recent example of phishing

51. A ninth grade example from 2014
A pair of ninth-graders used a manual for a cash machine that
showed them how to get into its ”operator mode” using a guessable
password. They didn’t steal any cash, however, but assisted the
Bank of Montreal in closing off the vulnerability.

52. Suggestions
A defacement is a corruption of your website.
Use static HTML for the most critical pages.
This makes your website less likely to be defaced.
Use content management pages in the
background pages or for pages which change a
lot.

53. Suggestions
A defacement is a corruption of your website.
Have regular downloads of the website via
crawling.
In case your website is defaced and the content
management pages are taking too long to restore,
at least you shall have static pages available.
Also have regular backups via ftp so it costs less
to restore the original CMS website too.

54. Lack of training
If you want to learn about security then go to a
security website.
Do not go to a company site selling security
products.
Examples to get you started :
Sectools.org, seclists.org, nmap.org

55. Cybercrime bill
Make people aware of the existence of the cyber
crime bill. It allows technically international
cooperation.
It might not deter the hardest criminals, but at
least you can inform that you have legal rights to
prosecute for unauthorized access.

56. SMiShing
 Phishing lures sent via SMS text message and voice phishing
(vishing)
 “Thank you for calling Askari Bank. A text message has been
sent to inform you that your debit card has been limited due
to a security issue. To reactivate, please press 1 now.”
 Caller then prompted to enter last four digits of CNIC, and
then full card number and expiration date

57. Cybercrime bill
Make people aware of the existence of the cyber
crime bill. It allows technically international
cooperation.
It might not deter the hardest criminals, but at
least you can inform that you have legal rights to
prosecute for unauthorized access.

58. Contact information
Applied Technology Research Center
92-331-2036-422
khawar@atrc.net.pk
http://atrc.net.pk