Fundamentals of Information Security, Global Cyber Attacks in e-banking

and Cyber Crime with some Cases

Compiled By -
Md. Shihab Uddin Khan
Associate Professor and
Director (Training and Certification Program)
BIBM, Mirpur-2, Dhaka.
Cell: 01710991890, Mail: msukhan@bibm.org.bd

--------------------------------------------------------------------------------------------------------------------
Introduction:

Online banking is a highly profitable channel for banking and financial institutions. It provides
customers convenience and flexibility to enjoy financial services at a lower cost than traditional
branch banking. Due to effective application of IT, Mobile phone and Internet, banks are now able
to provide online products and services on the basis of 24 x 365 hours to any customer in the
globe.

As many financial products and services directly or indirectly depend on ICT, banks have to think
how to involve IT to minimize the cost, increase the efficiency and how to provide better services
to the customers. We are talking about the ICT implementation, growing new business with the
help of ICT but never thought of security and vulnerability. Information Technology has two sides
- technology and security and these two must go parallel. Now time has come to concentrate on
Information Security. Because with the rapid growth of online banking transactions through
remote terminals/delivery channels, the risks in e-banking activities are also increasing. As the
technology is changing very fast and day by day new technology is being incorporated, we should
consider latest security features enabled, implementation of encryption methods and digital
signatures to keep pace with the rest of the world. It seems that Bangladesh is one of the most
vulnerable countries in terms of cyber security. That’s why risk management issue has become
one of the major concerns for the policy makers and top management of banks in the country
today. Bank must take required steps to ensure the proper management of online banking risk
before going through any transformation. The management of Information Security has become
more essential and critical for the success of the enterprises nowadays.

Due to IT based banking information system, Information is one of a financial institution’s most
important assets. Protection of information assets is necessary to establish and maintain trust
between the financial institution and its customers, maintain compliance with the law, and protect
the reputation of the institution. Timely and reliable information is necessary to process
transactions and support financial institution and customer services. A financial institution’s
earnings and capital can be adversely affected if information becomes known to unauthorized
parties, is altered, or is not available when it is needed.

Governments, military, corporations, financial institutions, hospitals, and private businesses

amass a great deal of confidential information about their employees, customers, products,

1
research, and financial status. Protecting confidential information is a business requirement, and
in many cases also an ethical and legal requirement.

Basic Network Layout of Centralized Online Banking:

CONCEPT OF CYBERSPACE AND CYBERCRIME:

What is Cyber Space?
▪ Cyberspace comprises IT networks, computer resources, and all the fixed and mobile devices
connected to the global Internet.
▪ It refers to the combination of CIS, C-Net, Telecomm and Internet.
▪ A nation’s cyberspace is part of the global cyberspace
▪ It cannot be isolated to define its boundaries since cyberspace is borderless.

What is Cyber Crime?

▪ Crime can be defined as the breakage of rules and regulations imposed by any government in
a country for which the existing government can punish the criminals.
▪ If the crime (unlawful activities/ criminal intent) performed in cyber space is called
Cybercrime.
▪ 3C in cybercrimes: Computer is a tool, Computer is a media and Computer is a target.
▪ Use of Computer, Network and Internet by cyber criminals to do something that would be a
crime in any case.
▪ Cybercrime is an ‘umbrella’ term for lots of different types of crimes which either take place
online or where technology is a means and/or target for the attack.

Why learn about Cyber Crime?

➢ Everybody is using Computing Devices.
➢ From white collar criminals to terrorist organizations And from Teenagers to Adults.
➢ Conventional crimes like Forgery, extortion, kidnapping etc. are being committed with the
help of computers.
2
 ➢ New generation is growing up with computers and internet access.
➢ MOST IMPORTANT - Monetary transactions are moving on to the IINTERNET.
➢ Rapid growth of online transaction: e-commerce, e-banking, e-government and e-citizen.
➢ Cyber Threat is one of the three biggest global threats (another two are – climate change and
nuclear weapons/warfare)

Vulnerabilities of Cyber Crime, Because of:-

▪ Anonymity
▪ No Geographical Boundary
▪ Computer’s Huge Storage Capacity
▪ Weakness in Operating System
▪ Lack of Cyber Security Awareness of End-Users
▪ Perception Gap of Management in respect of Cyber Risk in Business

Profile of Cyber Criminals:

(For both Internal and External Cyber Threats / Threat Creators)
o Disgruntled/Dissatisfied employees
o Rogue/Dishonest/Corrupted employees
o Novice or Unaware or Ignorant employees
o Contractual/Daily-basis/Temporary/Part-Time Employees
o Former Employees
o Employees of Third-party Vendors
o Professional Hackers / Crackers
o Business Rival/Competitor
o Political Hacktivist
o Teenagers
o Ex-Boy/Girl Friend
o Divorced Husband/Wife
o Relatives
o Others

Motives behind the Cyber Crime:

▪ Greed
▪ Power
▪ Publicity
▪ Revenge / Vengeance
▪ Adventure
▪ Desire to access forbidden/Corporate information
▪ Destructive mindset / Sabotage
▪ Business Competitiveness & Company Reputation
▪ Wants to sell new security services/solutions (Blackmailing by Vendors)
▪ Governmental/Political Conflict (Global Conflict/War)

Top 5 Cybercriminal Motives of Cyber Attacks:

1) Stealing and Selling Information (Account credentials and credit card information are top
sellers)
2) Wiping Data, Blocking Infrastructure (Crypto locker, Ransom ware/Malware)

3
 3) Stealing Money (Capturing Bank Accounts Credentials)
4) Damaging Company Reputation (Website Hacking)
5) Financial Losses (DDoS Attack)

List of Cyber Crime (This is not exhaustive list of Cybercrime):

• Hacking/Cracking: SQL Injections, Theft of • Pornography

FTP Passwords, Cross-site scripting • Data diddling
• DoS / DDoS Attack • Social Engineering
• Malware/Spyware/Ransomware • Soft. Piracy
• Logic Bombs • Intellectual Property Theft
• E-mail Spamming/Bombing • IRC Crime
• ATM / Plastic Card Fraud / Identity Theft • Phishing/Vishing/Smishing
• Spoofing (E-mail/Web) • Cyber Stalking/Defamation
• Session Hijacking / Web Jacking/Man-in-the- • Net Extortion
Middle (MITM) Attacks • Salami Attack
• Website Hacking • Others
• Fake/Alteration of MICR Cheque (Cheque
Fraud)

Types of ATM Fraud

▪ Card Skimming
▪ ATM Malware/ Cash out attack/
▪ Eavesdropping
Jackpotting
▪ Shoulder Surfing
▪ ATM attack card/pin data compromise
▪ Card Shimming
▪ Keypad Jamming
▪ Cash Trapping
▪ Physical Attacks
▪ Card Trapping
▪ Logical Attacks
▪ Fake Assistance
▪ Fake ATM
▪ Salisi Gang

Types of Hackers
1) White Hat Hackers
2) Black Hat Hackers
3) Gray Hat Hackers
4) Script Kiddies
5) Green Hat Hackers
6) Blue Hat Hackers
7) Red Hat Hackers
8) State/Nation Sponsored Hackers
9) Hacktivist
10) Malicious insider or Whistleblower

Four Major Categories of Cyber Crime:

➢ Against persons/individuals (Spamming, e-mail spoofing, Child Pornography, Cyber
stalking/defamation etc.)
➢ Against Property (Credit card fraud, intellectual property crimes - Soft Piracy, theft of
computer source code, and Internet time theft)
4
 ➢ Against (Business and Non-business) organizations (Capture secret data/valuable business
information by hacking/cracking, unauthorized access to computer, DDoS, virus attack, e-mail
bombing, salami attack, logic bomb, Trojan horse and data diddling etc.)
➢ Crime targeting the government (Cracking any govt./military websites etc.)

There are different types of security attacks which affect the communication process in the
network and they are as follows:

How are the Cyber-criminal groups organized to commit Cyber Crime (A case of
ATM/Card Fraud)?

5
The 6 Types of Cyber Attacks to Protect Against In 2019

How a User’s Computer can be captured by Hacker using Malware?

6
Ransomware Attack:

7
Phishing Attack Using Fake Mail (Three types of Phishing – Mail, Voice and Text/SMS):

8
Plastic Card Fraud (Statistics of UK Card Services):
(https://www.ukfinance.org.uk/)

UNAUTHORISED DEBIT, CREDIT AND OTHER PAYMENT CARD FRAUD

Fraud losses on UK-issued cards totalled £556.3 million in 2022, a six per cent rise from £524.5
million in 2021. At the same time, total spending on all debit and credit reached nearly £1 trillion in
2022, with 28 billion transactions made during the year.

Card Fraud Losses: 2013 - 2022

CARD FRAUD VOLUMES UK Finance also publishes the number of fraud incidents to convey
more fully the dynamics of the fraud environment in the UK. The number of confirmed cases of card
fraud (2.73million) reported during 2022 fell by three per cent in comparison to the number reported
in 2021 (2.82million).

9
List of Top 20 Countries with the highest rate of Cybercrime
(source: BusinessWeek/Symantec, June 2016)

10
IT based Frauds in BD Banks (2013):
Banking
Mobile Banking
Application SWIFT and
25%
Software
Others
3%
2%
ACPS and EFT
15%

ATM and Plastic

Internet Card
Banking 43%
12%

Source: BIBM Survey, 2013

Top Target Industries for the Risk of Cyber Attack: In Year 2016, 2020 and 2021
Year – 2016: Healthcare, Manufacturing, Financial Services, Government, and Transportation

Year – 2020: Healthcare, Technology and Telecoms, Finance Services Industry, Energy Industry
and Construction Industry.

Year – 2021: Business, Healthcare/Medical, Banking/Credit/Financial, Government/Military,

Education and Energy/Utilities.

4 Major Cyber Scams Occurred in Banks:

➢ Attack against Ecuadorian Banco del Austro (BDA)

▪ The attack was conducted in January 2015. It caused financial losses of 12 million USD.
During the heist, the funds from the BDA were routed to more than 20 companies located in
Hong Kong, Dubai, U.S., and other jurisdictions. After identifying the breach, the BDA
succeeded to recover 2.8 million USD and hopes to recover more money in the future.
➢ Attack against Vietnamese Tien Phong Bank (TP Bank)
▪ TP Bank announced that it succeeded to interrupt a cyber-attack in December 2015. Although
the hackers attempted to use fraudulent SWIFT messages to transfer more than 1 million euros
from the TP Bank, the bank was prompt to notice the attack and stop the initiated fraudulent
messages, thus preventing any financial losses.
➢ Attack against Bangladesh Central Bank (BB)
▪ In February 2016, a fraudulent transfer of USD 850 million from BB was blocked after the
SWIFT detected a spelling error in the name of the recipient (the recipient was spelled “Shalika
Fandation” instead of “Shalika Foundation“). However, BB was not able to stop the transfer
of USD 101 million. The stolen money was directed to bank accounts of various casinos and
Chinese gambling firms. After identifying the heist, BB managed to recover USD 20 million
and hopes to recover the remaining USD 81 million in the future.
➢ The 2014 JPMorgan Chase & Co (USA) Data Breach
▪ Still one of the largest breaches in history, the 2014 JPMorgan Data Breach affected tens of
millions of people, and seven million businesses—a total of 83 million customers. Five
11
 individuals used malware, social engineering, and spear-phishing attacks to plunder emails,
addresses, phone numbers, SSNs, and other customer information including checking and
savings account information, not just from JP Morgan itself, but other related financial
institutions around the same time.
➢ Cyber Attackers Hacked Nepalese Bank's SWIFT Server
[$4.4 Million Moved to Accounts in US, UK and Japan via Fraudulent SWIFT Messages]

In October 2017, hackers made about USD 4.4 million in fraudulent transfers from the
Kathmandu-based NIC Asia bank to countries including Britain, China, Japan, Singapore and
the US when the bank was closed for annual festival holidays. Most of the stolen funds (all
but USD 580,000 of the funds) were recovered after Nepal asked other nations to block release
of the stolen money. Nevertheless, investigations continue, and Nepal’s Central Investigation
Bureau (NCIB), KPMG are involved in this process. “The incident showed there are some
weaknesses with the IT department of the bank,” Shivakoti said (The chief of NCIB) “We
have no indication that our network and core messaging services have been compromised,”
SWIFT added. — Reuters

* SWIFT is used by about 11,000 financial institutions around the world to move large amounts of
cash.

Information Security Management:

➢ Information Security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction. (wikipedia.org)
➢ Principles/Attributes of Information Security:
Confidentiality, Integrity, Availability, Authenticity, Accountability, Non-repudiation, High
availability system.

12
Objective of ICT Security is to protect IT Assets of Banks:
• Data/Information (Database) - Customer’s Accounts Information, Employee Info, etc
• Resources (Hardware, Network & Software)
✓ Hardware/Network Resources - Host Server, App Servers, Core Router & Switch,
Online UPS etc.
✓ Software Resources – OS, Banking Software, DBMS etc.
• Bank Reputation - Smooth online operation, Timely services etc.
• Core / Key Personnel- (CEO, CRO, CIO, CTO, CISO, BOM, PM, DBA, NA, IS Auditor, IT
Security Analyst etc.)

Information Security Framework:

Info Sec Framework The Information Assurance model is a

tool that is dedicated to defend three
key elements which are People, Process
and Technology.

Domains of Info Sec:

13
IT Security Measures in E-Banking:

1. Physical Security Measures and

2. Logical Security Measures

Physical (and Environmental) Security: Physical security prevents and discourages attackers
from entering a building by installing fences, alarms, cameras, security guards and dogs, electronic
access control, intrusion detection and administration access controls.

Logical Security: Logical security protects computer software by discouraging user excess by
implementing user identifications, passwords, authentication, biometrics and smart cards.

➢ Logical security protects access to Computer Systems / Network

➢ Physical security protects the site and everything (IT/IS resources) located within the site from
physical damage.
Logical Security in Banks:

❖ Concern about user authorization and different Security Schemes:

➢ Password Protection
➢ Encrypted smart cards
➢ Biometrics / fingerprinting
➢ Firewalls/IDS/IPS
This scheme ensures that only valid users and programs have access to information resources such
as user accounts, files and databases.

❖ Concern about data and transaction security and different Security Schemes:
➢ Secret key encryption
➢ Public / Private Key encryption
➢ Digital Signature/Certificate and Certificate Authority (CA)
These schemes are used to ensure the privacy, integrity and confidentiality of business transactions
and messages and are the basis for several online payment systems such as electronic cash and
electronic checks.

Physical Security in Banks:

Lock & Key, Bank Vault, Credit Card Photo, Secure site for ATM booth etc

Physical Access List of authorized personnel, Maintain visitor’s record,

Control Door access using swipe card & password/biometric devices with facility for
recording entering & leaving information.

Power Electricity (proper wiring / concealed wiring), Redundant Online UPS,

Redundant Auto-Generator, Proper earthning, Lightening arestator, Surge
protector.
Redundant Air Industry Standard Precision cooling system to ensure smooth and stable
conditioners temperature for reliability and longevity of sensitive electronic equipment.
Maintain separate channel for Hot aisle and cold aisle in data center.
Dehumidifier For maintaining proper humidity in the air of Data center room.

14
 Fire Control Fire and Smoke detectors, Fire Extinguisher,
Auto fire detection and protection system, Periodic fire drill

Emergency Exit This provision should have for the safe guard of people resources and high
cost sensitive equipments.
Location / Site and Fire resistant wall, ceiling, door. Earthquake-resistant construction.
Construction Standard Green Environment and Green Data Center

Video Monitoring 24 hrs Video Surveillance, Video Recording, Preservation of Records for min
of 30 days., Intelligent CCTV and Video Analytics

Authentication Method (AM) To Access Banking System:

AM is used to ensure secured and authorized access to resources/services of e-banking operations.

Computer/network security hinges on two very simple goals:

1. Keeping unauthorized persons from gaining access to resources

2. Ensuring that authorized persons can access the resources they need
Categorization of Authentication Methods:

Biometric AM
User User’s Physical
User Knows User Behaviors /
Possesses Characteristics /
Behavioral
Physiological
- User name and - Swipe Card - Speech - Finger print / Palm Print
Password - Hand Geometry / pattern
- Proximity - Signature recognition
- PIN Card - Iris Recognition
- Keystroke Dynamics
- Identifiable Picture - USB Token - Retinal Pattern
- Matching through facial
- One Time Password patterns
- DNA (deoxyribonucleic acid)

➢ Banks should maintain both Authentication & Authorization Level Security control for
any banking transaction
➢ Introduce 2FA method for secure online fund transfer

IT Governance and its role to mitigate IT Risk:

IT Security is the responsibility of all stakeholders in Banks. IT Governance is an integral part of
Corporate / Good Governance. Effective IT Governance ensures active involvement of bank
management in IT to reduce risk in e-banking. The following figure shows the Effective Committees
for ITG: Alignment in Action.

✓ The role of the IT Strategy Committee (will be headed/chaired by CEO/MD and CIO will be
member-secretary/convener) is to assist the Board in choosing the right IT Strategy and
monitoring its implementation to achieve the desired results.

15
 ✓ The role of the IT Steering Committee (will be headed/chaired by CIO and Head of
Technology will be member-secretary/convener) is to assist the Executive Management in
implementation of the IT strategy approved by the Board.
✓ Information security governance is a subset of enterprise governance that provides strategic
direction, ensures that objectives are achieved, manages risks appropriately, uses
organizational resources responsibly, and monitors the success or failure of the enterprise
security programme. The role of the Information Security committee (will be headed/chaired
by CEO/ED and CISO will be member-secretary) is to devise strategies and policies for the
protection of all assets of the bank (including information, applications, infrastructure and
people). The committee will also provide guidance and direction on the Security Implications
of the business continuity and disaster recovery plans.

IT Strategy Committee What & Why Strategic

How & Who Tactical

IT Steering Committee

What
Project Steering Project Steering Project Steering Who
Committee Committee Committee
When Operational
Where
How

Project-1 Project-2 Project-n

Organization Chart for Information Security Governance:

16
Big banks invest huge sums in cyber security:
• The U.S. federal government, big banks, and big businesses are spending big bucks in a war
against hackers and cyber criminals.
• HSBC Budgets $1 Billion for Cyber Security Improvements.
• JP Morgan Chase Doubles Cybersecurity Spending. In 2014, the company spent $250 million
on cybersecurity; it plans to spend no less than $500 million by the close of 2015.
• Bank of America Corp. CEO Brian Moynihan said the nation’s second largest lender would
spend $400 million on cybersecurity in 2015. The cybersecurity team/unit has blank check and
can spend as much as needed to protect the firm and its customers.

The Cyber Security industry is booming:

• IT analyst forecasts are unable to keep pace with the dramatic rise in cybercrime, the
refocusing of malware from PCs and laptops to smartphones and mobile devices, the
deployment of billions of under-protected Internet of Things (IoT) devices, (70 percent of IoT
devices have unpatched vulnerabilities) the more sophisticated cyber-attacks launching at
businesses, governments, educational institutions, and consumers globally.
• Cybersecurity Market worth 231.94 Bn USD by 2022. (Cybersecurity Report,
MarketsandMarkets)
• Cybersecurity Ventures predicts global spending on cybersecurity products and services will
exceed $1 trillion cumulatively over the next five years, from 2017 to 2021.
• In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017 we expect it
to be worth more than $120 billion.

Figure - IT Budget Allocation in BD Banks: 2017 - 2022 (% of Total Budget)

0 10 20 30 40 50

Hardware

Software
2017
Network 2018
Security 2019
2020
Training
2022
Audit

Others

Cyber Security Awareness in Banks:

One of the greatest threats to information security could actually come from within your company or
organization. Inside attacks have been noted to be some of the most dangerous since these people are
already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies
who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).

17
That’s why focus should be on uninformed users who can do harm to your network by visiting websites
infected with malware, responding to phishing e-mails, storing their login information in an unsecured
location, or even giving out sensitive information over the phone when exposed to social engineering.
One of the best ways to make sure company employees will not make costly errors in regard to
information security is to institute company-wide security-awareness training initiatives that include,
but are not limited to classroom style training sessions, security awareness website(s), helpful hints
via e-mail, or even posters. These methods can help ensure employees have a solid understanding of
company security policy, procedure and best practices.
Some of the more important items to cover in your security awareness training are organization’s
security policy, data classification and handling, workspace and desktop security, wireless networks,
password security, phishing, hoaxes, malware, file sharing and copyright.

Internal threats are the big challenge!

➢ It's widely known that internal staffs are the biggest threat to IT security.
➢ Research conducted by the US CERT estimates that almost 40 percent of IT security breaches are
perpetrated by people inside the company. [http://www.zdnet.com/article]
➢ Many organizations focus primarily on protecting themselves against hackers and other external
threats.
➢ A recent Forrester report (2016) found that most data security breaches happen because of
employees, i.e. most data security threats are internal. [http://blog.trendmicro.com]
➢ Nearly 90% of IT professionals believe the ‘insider threat’ is not a technology issue. The vast
majority (86%) of IT professionals consider insider threats to be a purely cultural issue, and are
not aware that technology can help them address internal security issues.
[https://www.isdecisions.com/blog/]
➢ Internal threats creators – unhappy/disgruntled employee, Novice or unaware or ignorant
employees, temporary employee, corrupted employee, Former Employee, External Consultant.
➢ Even tech-savvy employees can be fooled into allowing attackers access to company networks.
➢ One of the biggest cyber security challenges for business is that “there is no patch for careless,
greedy or stupid”, said former FBI Computer Intrusion Unit head Don Codling.
[http://www.computerweekly.com]
➢ Endpoint security: any device that can connect to the corporate network, ranging from a desktop
workstation to a laptop, PDA or even cell phone. As the number of endpoints increases, firewalls
and antivirus software are no longer adequate protection. [https://www.cio.com/article]

Securing the Endpoints: The 10 Most Common Internal Security Threats:

In network security, endpoint security refers to a methodology of protecting the corporate network
when accessed via remote devices such as laptops or other wireless and mobile devices. Each device
with a remote connecting to the network creates a potential entry point for security threats. As the
number of endpoints increases, firewall and antivirus software are no longer adequate protection. The
following are the most common internal security threats:
1) USB Devices
2) Peer-to-Peer File Sharing
3) Antivirus Problems (out-of-date signature files)
4) Outdated Microsoft Service Packs
5) Missing Security Agents
6) Unauthorized Remote-Control Software
7) Media Files

18
 8) Unnecessary Modems
9) Unauthorized or Unsecured Synchronization Software
10) Wireless Connectivity

Top 5 Internal security threats:

It is widely known that internal staff are the biggest threat to IT security in banks and NBFIs. Internal
threats creators are – unhappy/disgruntled employee, Novice or unaware or ignorant employees,
temporary employee, corrupted employee, Former Employee, External Consultant. Even tech-savvy
employees can be fooled into allowing attackers access to company networks. One of the biggest cyber
security challenges for business is that “there is no patch for careless, greedy or stupid”, said former
FBI Computer Intrusion Unit head Don Codling. The following are the top 5 security threats posed by
workers/employees.
1) Malicious cyber-attacks
2) Social engineering
3) Downloading malicious internet content
4) Information leakage
5) Illegal activities

Security Awareness: A Sound Business Strategy

The best way to achieve a significant and lasting improvement in information security is not by
throwing more technical solutions at the problem — it's by raising awareness and training and
educating everyone who interacts with computer networks, systems, and information in the basics of
information security.
NIST says that everyone must receive initial awareness training before accessing systems and refresher
training at least annually. It defines 5 specific roles that must receive awareness training:
1. All users — security basics
2. Executives — security basics and policy level training in security planning and management
3. Program and functional managers — security basics and management and implementation level
training in security planning and system/application security management, system/application life
cycle management, risk management, and contingency planning.
4. Chief Information Officers (CIOs), IT Security Program Managers, Auditors, and other
security-oriented personnel (e.g., system and network administrators, and system/application
security officers) — security basics and broad training in security planning, system and application

19
 security management, system/application life cycle management, risk management, and
contingency planning.
5. IT function management and operations personnel — security basics; management and
implementation level training in security planning and system/application security management,
system/application life cycle management, risk management, and contingency planning.

10 Cyber Security Tips or Checklist for Banks’ Customers / Employees:

Reminders about 10 simple things bank end users / customers can do to help protect their computers
and their money from online criminals.
1) Have computer security programs running and regularly updated to look for the latest threats.
2) Be smart about where and how you connect to the Internet for banking or other
communications involving sensitive personal information.
3) Get to know standard Internet safety features.
4) Ignore unsolicited emails asking you to open an attachment or click on a link if you’re not sure
it’s who truly sent it and why.
5) Be suspicious if someone contacts you unexpectedly online and asks for your personal
information.
6) Use the most secure process you can when logging into financial accounts.
7) Be discreet when using social networking sites.
8) Be careful when using smartphones and tablets.
9) Parents and caregivers should include children in their cyber security planning.
10) Small business owners should have policies and training for their employees on topics similar
to those provided in this checklist for customers, plus other issues that are specific to the
business.

Some Concluding Remarks –

▪ Continuous Real-time Risk Assessment, Review/Update and Monitoring of Cyber Security
must be ensured.
▪ Cyber Security is the responsibility of all stakeholders of Banks.
▪ Top management (BoDs and Executive management) should have active participation in
Cyber Security.
▪ Banks should remove the Gap of Cyber Security Knowledge & Skill at all levels of
stakeholders.
▪ Adam Vincent, CTO-public sector at Layer 7 Technologies (a security services provider to
federal agencies including Defense Department organizations), describe the problems:

“The threat is advancing quicker than we can keep up with it. The threat changes faster than our
idea of the risk. It is no longer possible to write a large white paper about the risk to a particular
system. You would be rewriting the white paper constantly…”

= END =

20