የትውልዱ ባንክ

BANK OF THE GENERATION

11/08/2021 1
 እንèN bdU³ Welcome!!
m½{uƒ!

Information System Security Awareness

11/08/2021 2
 Presentation Outline

An Overview of Information Systems Security

• Cyber Security

World & Ethiopia Cyber Security Experience

Cyber Threats & Controls Mechanisms

What to DO and Not to Do

Conclusion
 An Overview of Information systems
Security
Definitions: Information System Security: ”A state of well-being of
information and infrastructure in which the possibility of theft,
tampering, and disruption of information and services is kept low or
tolerable.”

Information System
Components -PPT
{
 Cont’d….

On the other side Information System

Elements of Information System On the relies
Security otheronside Information
the five elements: System
Security Security relies on the five elements:
•• Confidentiality
• Confidentiality
Integrity
•• Availability
Integrity
• Authenticity
•• Non-repudiation.
Availability
• elements
Major Authenticity
are the first 3 namely:
CIA
• Non-repudiation.

Major elements are the first 3 namely:

CIA
 Cont’d…

Potential Impacts Resulting from the Loss of confidential Information

• Reputation damage of GBB

• Loss of trust in GBB

• Legal ramifications for GBB

• Injury or damage for those who have had their private information exposed.

• Potential financial ramifications for those affected.

• Employee discipline.

• Criminal and/or civil penalties for employees involved.

 Cont’d…
Cyber Space It is the electronic medium of computer
networks, in which online communication
takes place.
• All electronic interactions and data,
especially those that are mediated by the
Internet.

Cyber Security Cyber security is the practice of protecting

systems, networks, and programs from Cyber
attacks.
• These attacks are usually aimed at
accessing, changing, or destroying
sensitive information; extorting money
from users; or interrupting normal
business processes.
 Cont’d…

Cyber Attack A cyber attack is deliberate exploitation of

computer systems for destroying, disrupting, data
theft, controlling of systems of Organization.
• It can also be an attack against cyberspace.

Cybercrime Computer Crime or computer oriented crime, is

crime that uses a computer as an instrument to
further illegal ends, such as committing fraud,
stealing identities, or violating privacy.
 Cont’d…
Cyber attacker's most target Organizations

• Institutions and banks

• Internet service providers
• Government and defense agencies
• Multinational corporations
• Anyone on the network
 World & Ethiopian experiences
• Falling victim to a cyber fraud attack can result in major financial
losses.
• Fraudsters can easily monetize stolen information by selling it
on online.
Statistics on Data Breaches in the UK, 2020
• Up to 88% of UK companies have suffered breaches in the last 12
months. That is lower than Germany (92%), France (94%), and Italy
(90%)
• One small business in the UK is successfully hacked every 19 seconds.
• Every day, there are 65,000 attempts to hack SMEs, around 4,500 of
which are successful
• 48% of breach is due to Ransomware and 13% of UK organizations
reportedly paid the ransom. The average remediation cost is $840,000
• 33% of UK organisations say that they lost customers after a data
breach
 Cybercrime Could Cost the World $10.5 Trillion Annually
by 2025
Evidently, cybercrime is incredibly
costly for companies. By not
prioritizing cybersecurity or not
recognizing its salience, you
greatly increase your chances of
damaging your business’ bottom
line in the long run.

At a growth rate of 15%Year over year

https://www.embroker.com/blog/cyber-attack-statistics/
 Why Cyber Security Attack increase Extremely?

COVID-19 pandemic as digitalization opportunity and information security risk.

In April 2020, Google blocked 18 million daily malware and phishing emails related to
Coronavirus. (Google)

 COVID-19 highly contributes to Digitalization unexpectedly.

 Cont’d….
Finance, Insurance and
Credit organizations
Attack Type
Brute Force 4
Cryptographic flaw
Denial of service
Cyber security Hardware/software
incidents misconfiguration 3
Malware 2
Other cyber incident 3
Phishing 29
Ransomware 8
Unauthorised access (cyber) 4

Grand Total 53

Data Range: 01/04/2021 - 30/06/2021; Quarter 1, Financial Year 2021/22

 Cont’d….
Finance, insurance
and credit
organization
Causes
Data emailed to incorrect recipient 36
Data of wrong data subject shown in client portal 3
Data posted or faxed to incorrect recipient 32
Failure to use bcc 1
Incorrect disposal of hardware
Non-cyber
Incorrect disposal of paperwork 1
security
Loss/theft of device containing personal data 2
incidents Loss/theft of paperwork or data left in insecure
location 5
Not Provided 8
Other non-cyber incident 24
Unauthorised access (non-cyber) 13
Verbal disclosure of personal data 2
Grand Total 127

Data Range: 01/04/2021 - 30/06/2021; Quarter 1, Financial Year 2021/22

በኢትዮጲያ የሳይበር ደህንነት ንቃተ-ሕሊና ጥናት ውጤት-
በኢንፎርሜሽን መረብ ደህንነት ኤጀንሲ
 Cyber Threats & Controls

Information Security
common threats in Cyber
Space

Grouping Threats:
• Malware - Virus, Worm, Trojan,
Spyware, Ransom ware, Spam,
Botnet, Backdoor……

• Social Engineering
• Invoice fraud
• Phishing
o Vishing
o Smishing
o CEO Fraud /Attack
 Malware
 ‘Malware’, short for ‘malicious
software’, used by criminals to disrupt
computer operations and access
confidential information.

Malware attacks cost is $2.6m per company on average (Accenture,

2020)-  "Cost of Cybercrime Study"
 Malware…
a t y p e of a
s a r e s
n p r o g ra m r en a ble
Troj a you e ur
e n t er w a r o f y o
a r e that r a n s om o n tr ol
malw oth e R in c
e b a c k o f
r to g a
p t y ou r
u t e r o n th r s r au d ste o e n cr y
comp a s b a ck doo f
o r d er t n l ock
hey a c t m i n e to u
a r e . T a y s te a f e
softw g r a n ting s
a n d ing p t i on
m p uter , d em d e cr y
co fil e s , e
to the c e s s. i th o u t th
a t y ou
m ote a c . W e l yt h
t e r r e th e m li k
frauds v e r y un u r f iles
, it i s s yo
c o d e a c c es
le t o
i ll b e ab
w
.
again
 spyware

Spyware is any software that installs

itself (or with minimum human
innervation) on your computer and
starts covertly monitoring your online
behaviour without your knowledge or
permission.
• Spyware is a kind of malware that
secretly gathers information about a
person or organization and relays
this data to other parties.
 Control Mechanisms
1. Administrative/ Management Controls
• Policy, Standards, Procedure, Regulations,
Ensuring information Security Awareness…
process is a Layered 2. Technical /Logical Controls
approach. • Anti virus, Firewall, IPS/IDS, Encryption,
Patch, SOC
3. Physical & Environmental Controls
• CCTv Camera, Door Access System, Data
Center building management system
(BMS)
Additional Controlling mechanisms.
• Least Privilege
• Need to know
• Separation of duty
• Job Rotation
 Social Engineering Attack
• It is the art of manipulating people so they give up
confidential information.
• A psychological attack used by cyber attackers to
deceive their victims into taking an action that will
place the victim at risk
• Social engineering often involves utilizing social skills,
relationships, or understanding of cultural norms to
manipulate people inside a network to provide the
information that is needed to access the network.

Why Social Engineering is effective in hacking?

• Trust: Easier to exploit your natural inclination to trust
than hacking your software.
• Greedy
• Fear
 Social Engineering Types

Baiting It involves leaving a piece of portable storage media such as a CD, USB
stick in an open location to attract a victim into seeing what's on it.

The email may be designed to contain and deliver malware via an attachment or a link.  If the
link is clicked or the attachment opened, the criminal will be able to gain access to your system.
 Vishing and Smishing
• Vishing (voice phishing)

• Smishing (SMS phishing)

o Both involve fraudsters

calling or texting asserting to
be from the police, utility
providers, delivery
companies or even your
bank.
 Cont’d…

CEO Fraud /attack

Example

it occurs when
fraudsters
pretend to be a
senior manager-
often the CEO -
in order to
persuade a staff
member to make
a payment.
 Business Email Compromise A Business Email Compromise (BEC) is a special type of
(BEC)
phishing attack that is becoming increasingly prevalent.
• BEC attacks are designed to impersonate senior
executives and trick employees, customers or
vendors into wiring payment for goods or services to
alternate bank accounts.

is a technique used to obtain information such as PINs,

Shoulder surfing
passwords and other confidential data by looking over
the victim's shoulder.

Dumpster diving means searching trash for useful information.

 Cont’d…

This is when fraudsters send fake invoices

Invoice Fraud
claiming to be from a real business you
work with.
• Sometimes they hack the emails of your
supplier to send the invoice, so the email
address is genuine, but the payment
details are changed to those owned by
the fraudster.
 Prevent Social
Engineering
What to do?
Establish security policy,
procedure and protocols
Keep personal information
personal
Always be mindful of risks
Think before you click.
Try to have information about
the techniques of social
engineering
What NOT to do?
Reply to unsolicited telephone
calls, visits, or e-mail messages
Download files you don’t know.
Respond to offers and prizes that
may be fake.
Respond for request of personal
information.
 Prevent Invoice Fraud
What to do? What NOT to do?
Always verify details of any payment
• List your suppliers information
instructions verbally(Call)
on public
Consider removing information such
• Let other who have no concern
as testimonials from your own or your
about the purchase case know
suppliers’ websites
your purchase details
Consider setting up single points of  Make the payment in question. If
contact with the companies you pay you suspect invoice fraud you
regularly should act promptly.
Regularly conduct audits on your
accounts
Be informed about the issue (invoice
fraud) and the variants changing
frequently
Change passwords often and not reuse
passwords
 Prevent CEO fraud
What to do? What NOT to do?
Any payment requests with Respond to payment requests received
new or amended bank details by email or phone before verifying.
received by email, letter or
phone should be independently Be pressured by urgent requests, even
verified.
if they appear to originate from
Implement a procedure to
verify the legitimacy of payment someone senior.
requests.
Call your suppliers to verify Remember this is a common tactic
their payment details before you adopted by fraudsters.
pay new account details for the
first time.  Share information on to social media

that could let attacker understand

about you.
 Prevent Phishing
What to do?
Be alert to the style, tone and
grammar of emails you receive,
Keep your apps updated, this
will ensure they have the latest
security.
Think before you click any links
in text messages or emails on
your mobile device
What NOT to do?
Click on links or open
attachments from senders
you are unsure of.
Enter any personal or
security information on a site
accessed through a link in an
email
 Prevent Vishing

What to do? What NOT to do

If you are suspicious, Assume a caller is genuine

terminate the call and call back because they know
using your usual contact information about you or
number, and not one provided your company
by the caller fraudsters.
 they are skilled in collecting
enough information to sound
convincing and can change
caller display IDs to a genuine
number
 Prevent Smishing
What to do?
Keep informed about
phishing technique
You should give attention for
urgent security alerts or
warning and consider as
signs of hacking attempt
What NOT to do?
Opening attachments or
clicking links in SMS
messages
click a reply link or phone
number in a message you're
not sure about
Store your credit card or
banking information on
your smartphone.
 Prevent Malware
What to do?
Use anti malware software
Backup important data
Keep an eye on unusual
computer activities if any,
Scan memory devices
before use
Try to understand how
malware works
What NOT to do?
Install unauthorized
software
By passing filters of
computer network or
systems security
Use external memory
devices without scanning
 General important Security Practices
• Do not use vendor-supplied default passwords for system.
• Lock screen when not in use or make it automatic.
• Encrypt your data.
• Only use official software and operating system packages other than
cracked once.
• Don’t leave your table full of important documents that may expose
to be taken or seen by others.
• LOCK office cabinets and doors when you are outside office or
store.
• Remember TO REMOVE your documents from photocopiers, faxes,
printers, wall charts and projection equipment.
 Cont’d…

• Don’t discuss important issues like what technology used in GBB.

• Business communication by e-mail must be using GBB mail service.
• Change passwords within reasonable time for all systems.
• Avoid personal devices to be attached to GBB network unless
specially allowed.
• User accounts must be locked or deactivated for terminated or
transferred employees in a timely manner.
• Always encrypt emails that contain sensitive information.
 Cont’d…

• Never throw papers or equipment containing sensitive information

in the trash cans.
• GBB e-mail must be used for business purpose only.
• Information security must be a culture for you and your families.
• Update your self on security issues, follow security newsletter,
Tips….

Remember! You are always the target.

Think before click!!!
 Conclusion

Opportunities for cyber attacks sure to grow in the coming years

(McAfee’s predictions ) Which is actually or potentially
jeopardizes the CIA of an information system. So, you MUST:

Follow IS security policy and best practices

 Keep your software updated and install Antivirus.

 Raising awareness of fraud prevention within our company is

the key.
 Cont’d….
It is important to create a information security culture in GBB
by encouraging employees when they report fraud threats.

GBB Staffs shall secure their personal devices since ,nowadays,

Hackers use “Hacking the Home to Hack the Office” technique. 

Known and Suspected Incidents Must Be Reported Immediately.

Do Not Delay Reporting Under Any Circumstance.
 Thank you !

የትውልዱ ባንክ-BANK OF THE GENERATION

Information Security is Everyone Responsibility !!!

11/08/2021 39