it security
DESCRIPTION
slide is on I.T SecurityTRANSCRIPT
IT SECURITY PROCEDURES AND
GUIDELINESADRIJA SEN
INTRODUCTION
Major advantage of computer – data storage.
All data and information stored.
Minimizes paper work.
Networking of branches and banks provide service through internet or mobile.
Expose the data across the globe.
Serious problem relating to data integrity and security.
OBJECTIVE OF PROVIDING DATA SECURITY
1. To guarantee a certain level of availability of services.2. To guarantee the integrity of the data exchanged and
stored.3. To guarantee the confidentiality of the data
exchanged and stored.4. To guarantee the authenticity of the user.5. The data and the systems can be audited whenever
required and generate sufficient audit trails to detect any misuse
THREATS
Accidental damages (beyond one’s control)
Environmental hazards,
Errors and Omissions.
Malicious damages (more serious nature)
ACCIDENTAL DAMAGESMost common cause to computer installations, equipment and data.ENVIRONMENTAL HAZARDS
Spikes in power and improper grounding (earthing).Excessive humidity, water seepage and the floods.Radio transmissions affecting data transmissions.
ERRORS AND OMISSIONSSystem design and process development.Program maintenance and while carrying out correction
procedures.Data entry at the time of terminal operations.
EFFECT OF ACCIDENTAL DAMAGES
Significant commercial consequences.
Required to pay a close attention to the planning of computerized systems.
Opportunities of fraud may arise because of poor systems design.
MALICIOUS DAMAGES
A computerized environment provides a number of new opportunities for fraudsters.
Primarily due to the ease with which fraudsters can hide their actions on computer systems
From disgruntled employees who wish to disrupt the service
From individuals with wrong intentions to use technology for perpetration fraud for financial gains.
EFFECT OF MALICIOUS DAMAGESInterruption in banking services.Services get affected immediately - links to automated teller
machines, POS or other electronic networks are brought down.
Insufficient processing capacity to cope with the additional load.
Lead to suspension of the banking facility unless adequate contingency plans have been specified and tested beforehand.
Consequential cost of serious system failure exceeds cost of replacing damaged equipment, data or software.
Loss of time.
FRAUDSSpecial program - utility program used to make
unauthorized changes to computerized records that bypass the normal control facilities built into the computer systems.
Unauthorized manipulation to programs or data that bypasses password is to remove the relevant files from primary location, transport these to another computer and returned after manipulation.
Unauthorized amendments made to the payment instructions prior to their entry into the computer system.
Unauthorized changes to programs made during routine development or maintenance which cause program to generate accounts or remove records of transaction.
CRYPTOGRAPHY (DATA ENCRYPTION)Encryption – To maintain secrecy.
Ensures message is not altered fraudulently or accidentally
Plain text
Cypher text
Public key – Known by all the business partners
Private key – User alone knows
SYMMETRIC KEY MECHANISM
ASYMMETRIC KEY MECHANISM
CRYPTOGRAPHY
Encrypt DecryptPlaintext
Ciphertext
Plaintext
User ServerC = EncryptK (P)P = DecryptK (C)
K K
Internet
SYMMETRIC KEY CRYPTOGRAPHY
Single Key – Secret Key, Private Key, Symmetric Key
Used for both encryption and decryption of message.
Sender and recipient must possess same secret key.
Not useful on large networks like internet.
Useful when network is very small and parties are already known to each other.
ASYMMETRIC KEY CRYPTOGRAPHYKEY – series of characters which is fabricated carefully using
numerical values to encode a message. – can be read by person in possession of that key or any other related key.
This type of cryptography is very powerful and uses public keys.
KEY SECRECY – Public key code are not the secrecy issues.
Private key must be secret and not shared with anyone.
Private key compromised – security is threatened.
COMPUTER SECURITY
COMPUTER SECURITY
Physical Security
Logical Security
Network Security
Biometric Security
PHYSICAL SECURITYIntrusion prevention – locking, guardingIntrusion detection
Disturbance sensorsBarrier detectorsBuried line detectorsSurveillance
Document securityPower protectionWater protectionFire protectionContingency planning
STEPS INVOLVED IN PHYSICAL SECURITY
Make complete and detailed inventory of all hardware and equipment.
Make use of alarm systems to prevent equipment being stolen.
Regularly take backup of all software, data and databases on a backup media.
Keep the backup in secure and protected place.Encrypt confidential data/information.Entry in office premises should be restrictedProper systems for identification of outsiders in the
premises.
DOCUMENT SECURITYPrepare inventory of all important records.
Identify persons responsible for different types of records.
Classify and store the records which are vital to the bank.
Dispose off all those records which are not required.
Transfer all important records to safe storage media.
Hard copies should be secured in plastic containers.
Off-site arrangement of storing all important records should be there
LOGICAL SECURITYRelated with software access control.Software resources and applications require to be protected.Barrier to be maintained between the users and software
resources.Access control to resources is based on 2 levels:-
AuthorisationAuthentication of authorised person.
Data Base Administrator (DBA) provides rights to different types of users to access particular software.
Authentication – Process of verification of identity of user who is going to login into the system.
Some computer systems provide special levels of security.Multi-access control – involved at
User level – Only authorised user can enter the programTerminal level – If user knows password of the system
itself, he/she can go further.Menu level – If the user knows the password for
reaching next level he can go further.File level – If the user knows the password to manipulate
file, only he/she can do soApplication level – If the user knows the password for
running the application, only he/she can do so
Internal access control – Involve particular information like date, time, identification of user, etc.
Limiting the number of unsuccessful attempt – System gets locked when wrong password is entered for specific number of times.
Limiting audit trail – Back up is created itself and even the access situations can be known.
Limiting access of the users to directories – Access of users limited only to particular directories or subdirectories or files and packages.
Encryption of data and files – Can be opened only through symmetric and asymmetric key.
NETWORK SECURITYData and resources are shared on LAN.Network requires great deal of security from intruders.Physical intrusion – When intruders has physical access to
nodes.- Can use computer to get the network.- Can remove peripherals from system- From one system, data can be sent to another system in unauthorised manner.
System intrusion – Intruder is a person, has some rights to use user account.
- If no proper checks in system, intruder may enter different packages to gain administrative advantages for which he is not authorised.
Remote intrusion – When intruder tries to penetrate a system from remote location across the network – Hacking.
BIOMETRIC SECURITYTechnique to measure physical characteristics which is
capable of verifying the identity of an individualTwo types:-
Physiological – More reliableBehavioural
Physiological Technology – involvesFinger or Hand Pattern Recognition – Highest level of
identification; mature and reliable technologyVoice recognition – Pattern of pronouncing words;
frequency characterisation and mannerism taken into account in these techniques.
Iris Recognition – Freshly taken video picture of iris is compared with stored template.
Behavioural Technology – Signature recognition
THANK YOU