Cyber Security Awareness training outlines key topics to help employees secure MCB information systems and data from cyber attacks. The training covers password security, email security, safe web browsing, social engineering, and MCB security policies. Case studies of real-world cyber attacks show how hackers have stolen millions from banks by exploiting human and technical vulnerabilities. The training emphasizes that security is everyone's responsibility and all employees must follow security protocols to protect MCB networks and data.

1. Cyber Security Awareness
Basic Level Training
Cyber-Security Team
RMG

2. Security is Everyone’s
Responsibility
Outline:
• Password Security
• Email Security
• Safe Web Browsing
• Social Engineering
• Policies

3. - To secure MCB information systems from cyber attacks
- Secure the login credentials
- Spread the awareness in employees about cyberattacks
- Safeguard your data from unauthorized access
- Protect MCB network from malicious attacks
Information Security Awareness Training Objective

4. Case Studies
Cyber-Security

5. • Computer Viruses so far is responsible for 100 million world wide losses” The Guardian
• Most of the biggest robbery in the world are done without entering the bank premises, or using any weapons!
• Below are the financial deficit due to financial institutions being HACKED!
Cyber Security Threats
Million Dollars

6. Bangladesh Bank Robbery
• Also known as Bangladesh Bank Cyber Heist
• Took place on a holiday in February 2016 against Bangladesh Bank
• Total 35 fraudulent instructions - 5 were successful, 30 were blocked
- 20M$ to Srilanka While 81M$ were transferred to Philippines
• 30 transaction of 850M$ were blocked
• Virus used in the process: Dridex which steals bank credentials
• FireEye performed the forensics investigation
• Sonali Bank of Bangladesh (2013)
- 250,000$ hacked aided by an insider

7. UK Bank Robbery
• TESCO Bank
- 2.8M$ Lost in November 2016
- 21.4M$ were fined by regulators
• Santander Bank
- Man posing as a maintenance engineer plugged keyboard video
mouse device (KVM).
- 380,000 card data was lost.
• Royal Bank of Scotland
- 1.5M cardholder data lost.

8. WannaCry : Global Cyber Attack Surface

9. What is Information Security?
Information
Security
Availability
Information should not be
disclosed to unauthorized
individuals or entities. E.g
– Salary Slip
– Student Grades
Safeguarding the accuracy and
completeness of information
asset E.g
– Amount in transaction
– Medical Record of a patient
Information assets should be readily available
and usable upon demand by an authorized
entity E.g
– Loss of Service

10. Why Banks are being Hacked?!

11. Why Banks are being Hacked?!

12. Use A Strong Password
• Use unique password for all your
accounts
• Password Length: At least 8 characters
• Password Complexity: Mix upper and
lower cases, numbers and symbols
• Do not use common and predictable
passwords
• Change password periodically.
• Do not share your password with
others or write them down.

13. Use A Strong Password
• ATM PIN Code
• Setting a Password (Total 95 Characters)
-10 digits: 0123456789
-26 lower case letters: abcdefghijklmnopqrstuvwxyz
-26 upper case letters: ABCDEFGHIJKLMNOPQRSTUVWXYZ
-33 special characters: `~!@#$%^&*()-_=+[]{}|;':",./<>?
• Two Factor Authentication
• One Time Password (OTP) E.g Whatsapp Login
• Never share your OTP with anyone

14. Password Construction
Pick a sentence that reminds you of the password. For example:
• This May Be One Way To Remember = "TmB1w2R!”
• I feel great = If33lgr8
• Honda 125 = H0n9@I2S
• Pakistan = p@k15TAn
• Just what I need, another dumb thing to remember! = Jw1n,adttr!
Don’t use this
example as
Password

15. Use A Strong Password
• Four means of authenticating user's identity
• Based on something the individual
– knows, e.g. password, PIN
– possesses, e.g. key, token, smartcard
– is (static biometrics), e.g. fingerprint, retina
– does (dynamic biometrics), e.g. voice, sign

16. Password Vulnerabilities
• Offline dictionary attack
• Specific account attack (user john)
• Popular password attack (against a wide range of IDs)
• Password guessing against single user (w/ previous knowledge about
the user)
• Workstation hijacking
• Exploiting user mistakes
• Exploiting multiple password use
• Electronic monitoring

17. Social Engineering

18. Most Common Hacking Attacks
• Social Engineering Attack (E.g pretending as Co-worker or an IT guy)
- Baiting (Leaves a USB of virus at a public place)
- Phishing / Spear Phishing (Installing malware or Ransomware)
- Honey Trap (Online relationships to gather sensitive info)
- Pretexting (Pretending as your old friend in need of money)
• Troy Movie (Greeks vs Trojan Army)
• Catch Me If You Can Movie (Frank Abagnale)
- A doctor - A Pilot
- A Lawyer - Forged Checks

19. Story : Victor Lusting

20. Most Common Human Errors
• Outdated Antiviruses
• Easy Passwords / Sharing
• Pirated Software
• Sharing of Confidential Information
• Opening e-mail attachments from strangers
• Updates, Service Packs are missing or not installed
• Not reporting security violations

21. Successful Attacks

22. Emails Security

23. Safe Web Browsing
• Do not browse for personal entertainment on official machines
• After you finish your business in a website i.e. internet banking,
remember to log out of your account. Don’t just close the browser.
• Don’t use public Wi-Fi
• Do not subscribe social sites on official email address

24. Beware Social Media Sites
An attacker can extract the
following information
• Employment Details
• Education
• Relationship Status
• Location Profiling
• Political / Religious views
• Photos
• Family Details
“Facebook is not your friend, it is a surveillance engine”
Richard Stallman

25. Successful Attacks
Pay attention to the web address, if it has changed or doesn’t seems
correct, it may be a fraudulent site

26. Question : What are Bitcoins ?

27. Cyber Attacks : Pakistani Banks
EVEN MCB!!!

28. Information Security –Assets & Classification
Information Assets
Confidential or Restricted: Information that belongs to customers, employees and MCB’s business,
or if disclosed to unauthorized persons, could have an adverse impact on MCB's operational, legal or
regulatory obligations, or on its financial status, customers or reputation
Internal: Information that is commonly shared within MCB by the employees, and is not intended for
distribution outside MCB.
Public: Information that is freely available outside of MCB, or is intended for public use

29. ITG - Service Desk

30. Learn More ! = Security Policies + Disciplinary Actions
 Refer to the hyperlink below, to learn more about staying safe
online:
 MCB Information Security Policies
 Adherence to policies will lead to serious consequences and
disciplinary penalties. Refer to HR documents below:
 Disciplinary Action Details
 Disciplinary Action Against: If Staff is Involved in Password Sharing

31. Risks Categories
Financial Risk
Loss of funds
Fines and penalties
Loss of revenue
Reputational Risk
Impact on a brand name
Law suits
Operational Risk
Service disruption
Loss of business operations
Financial Risk
Operational
Risk
Reputational
Risk

32. Question
Which one of the following is the best example of a secure password
as per MCB Password Policy?
a) mcb123
b) 1SMcB#0U53!
c) _________ (blank)
d) Pakistan
e) 03004209211

33. Question
How often should a user change the password?
a) Never
b) Only after Year End Closely
c) At least within 30 days
d) Whenever, user wants

34. Question
Information Security is based on the CIA triad. What does CIA stand for?
a) Central Investigation Agency
b) Common Information Anywhere
c) Confidentiality, Integrity & Availability
d) Catch Illegal Accounts

35. Weakest Link = HUMAN!

36. Systems / PC Security

37. Security Beyond Office : USB DO’s and Don'ts
• Protect your USBs or external drives
with a password
• Encrypt USBs and external drives
contents
• Always protect your documents with
strong password
• Do not accept any promotional external storage
device (i.e. USB, External drives) from unknown
members
• Avoid storing confidential data on external
storage devices
• Never connect external storage devices without
scanning
External storage devices have serious cyber security risks, they are utilized as a medium to spread
viruses, malwares, Trojans and ransomwares. Millions of bank records will be at stake, if storage devices
are utilized

38. Long Story Short!

39. Question
By pressing which keys you can lock your computer?
a) Any key
b) Lock key
c) Windows Key + L
d) Car Keys

40. Question
Always share information with any one over the phone without
confirming the identity ?
a) True
b) False

41. Clear Desk
Always share information with any one over the phone without
confirming the identity ?
• Sensitive or critical business information must be stored in suitable locked
cabinets when not in use, especially after working hours
• Sensitive or classified information, when printed, is to be cleared from printers
immediately
• Photocopiers are to be locked after normal working hours

42. Clear Screen
• Keep the computer screen desktop clear
• No confidential information should be placed on the desktop screen
• Computers are not to be left logged on when unattended
• Don’t leave any documents open on the screen
• Use password protected screen savers

43. Question
• Keep all confidential account information on your desktop screen and printed
confidential information on your table?
a) True
b) False

44. Recognizing a break-in or compromise
• Antivirus software detects a problem
• Pop-ups suddenly appear (may sell security software)
• Disk space disappears
• System slows
• Unusual messages, sounds, or displays on your monitor
• Your computer shuts down and powers off by itself

45. WAY Forward : Payment Card Industry – Data Security
Standard
• The PCI Security Standards Council is a global forum for the ongoing development,
enhancement, storage, dissemination and implementation of security standards for
account data protection.
• Founded in 2006 by American Express, Discover, JCB International,
MasterCard and Visa Inc.
• The PCI DSS applies to all entities that store, process, and/or transmit cardholder
data. It covers technical and operational system components included in or connected
to cardholder data.
If you accept or process payment cards, PCI DSS applies to you

46. IT SEC_RITY U
Follow these policies and guidelines to make
MCB (Most SeCure Bank)
in Pakistan!
90% 10%

47. User Activities are Monitored!

48. Hacked ? Or Reporting a security breach ?
Reach US @
itsecurity@mcb.com.pk
Learn More about Information Security visit MCB InfoSec Policies