Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
As Dr. Singleton points out in our “What Every IT Auditor Should Know About Backup and Recovery” reading, Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two distinct concepts.
The DRP is put in place to address the loss or interruption of digital/business infrastructure as a result of a disaster, such as a fire or a terrorist attack. A BCP is a strategy, not simply a plan, to mitigate downtime to core business functions. The distinction can appear to be subtle, but I think the following example makes it more clear.
If Acme Motors suffers a catastrophic fire in the factory that houses their data center and automated assembly line, the company would rely on its DRP to address the loss and destruction of key infrastructure.
However, if Acme Motors was looking to migrate its data center to the cloud while replacing 70% of the automated assembly line, they would need to rely on their BCP. Acme would be concerned about minimizing downtime to their business functions as a result of corporate strategy, not a disaster.
Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.
Given the human tendency to look on the bright side, many business executives are prone to ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money. Often, the two terms are married under the acronym BC/DR. At any rate, DR and/or BC determines how a company will keep functioning after a disruptive event until its normal facilities are restored.
Technically, the Disaster Recovery Plan (DRP) deals with the restoration of computer systems with all attendant software and connections to full functionality under a variety of damaging or interfering external conditions. In daily practice Business Continuity often refers to disaster recovery from a business point-of-view, or dealing with simple daily issues, such as a failed disk, failed server or database, possibly a bad communications line. It is often referred to as the measure of lost time in an application, possibly a mission critical application.
In short we can say that Disaster Recovery Plans addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two different concepts. BCP is the organizational strategy involved with ensuring the continuous operation of core business functions during and after a disaster. DRP is a subset of the overall BCP and are more specific. DRPs may be developed for specific groups within the organization to allow them to recover a business application or function.
The best way to look at this is that BCP is proactive in approach. It defines potential assets and threats associated with core business processes that may adversely affect the business, and derives alternative approaches to maintain business operations and stability. For example, if a building catches on fire, where will the employees work from.
DRP is reactive in approach, because it outlines the actions that a business takes after an adverse event. These might include information on how to recover data or what to do in an event of loss to critical staff,
Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. In other words, it provides detailed strategies on the steps that employees must follow during, and immediately after, a disaster.
The business continuity plan (BCP) takes the disaster recovery plan one step further. It is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.
These plans are interdependent but cover items that the other does not. In fact, DRP includes preventives strategies, whereas BCP introduces strategies that the business will use to maintain operations.
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
Though Business Continuity Plan and Disaster Recovery plan are used interchangeably they have different meaning.
Business continuity plan is business centric and people centric and it focuses on management oversight and plans to make sure that the entire business can continue to operate effectively with as little disruptions as possible during and after the event of disaster. It involves rigorous planning and commitment of resources to plan for the recovery. BC plan includes all department and defines steps to be followed. It ensures that employees are aware of what needs to be done and where to go in case of a disaster. Example: Fire drills, emergency contact numbers etc. BCP includes both DRP recovering a facility rendered inoperable and the restoration plan which is used to return operations to normality.
Disaster recovery plan is a part of Business continuity plan. It is data centric i.e. it is concerned about the process of replicating and storing data so that it can be quickly recovered when disaster occurs. It ensures that the data will be easily accessible so that the down time to restore operation is minimum and it won’t affect the daily operation of the business. Having a backup in different location or mirroring of datacenters, properly defined restore points all come under DRP.
While Business Continuity Plans and Disaster Recovery Plans might sound alike, they are in fact two different areas. One can see this by looking more closely as the names of each plan. For Business Continuity, the plan is to continue the business operations through events such as natural disaster without any “hiccups”. This plan essentially outlines multiple steps an employee should take for a variety of events such as fires, natural disasters, building collapse, etc. In my experience when I did an Internal Audit internship, our BCP included the names, telephone number, and addresses of all the members of my department as well as include where the designated backup meeting spot was (at a hotel down the road) and telephone numbers of other important staff. The key focus on the business continuity plan is to have the business continue its operations through its personnel during a disastrous event.
Disaster Recovery Plans are different and as the name implies, is a plan to recover after a disaster has occurred. These plans usually revolve around maintaining or recovering data and IT infrastructure after a disaster has occurred, but can also encompass recovering business processes as well. This plan essentially outlines how if a business were to experience a disaster, what would be it steps to go back to pre-disaster or new desired conditions? With that being said, one of the key areas of disaster recovery is the protection and use of data within a company. Since many businesses run off of data or online communication, is it crucial that a Disaster Recovery Plan include some form of data backup policy and how that data will be recovered into the system. The key focus on the disaster recovery plan is to recover back business processes and information after a disaster has occurred.
They are different!
Disaster recovery plan provides detailed strategies about processes and procedures an organization must put in place immediately to ensure that critical functions can continue during and after a disaster to recover from the event. Such as emergency supplies, flashlights, backup business information.
Business Continuity plan refers to more comprehensive planning that identifies the long-term, crucial strategies that are needed to ensure that the business maintains stability. It includes DR and address to how the business will continue its key operations after the disaster. It also refers to how the business will continue its operations after smaller events, such as power outages.
This two terms are always used together, so people forget that there are differences between them.
What is BCP?
Identify contingencies and alternatives for continuing business, and allow the business to define key parameters for the development of DRP. Concerned with keeping business operations running after disaster has struck.
What is DRP?
DRP specify how to recovery of a function will be performed. Within a DR plan, there will be individual component system recovery plans that would specify steps to recover applications.
BCP tends to focus on the whole business, DRP tends to focus more on a specific side like technical of the business. It is easier to think of a BCP as an umbrella policy, DRP as part of it. There is a good chance the whole strategy (BCP) will be either less effective, or useless for department uses when a disaster happens. On the other hand, DRP can stand alone and many companies can do fine without a full continuity plan. BCP is typically set up on a day-to-day basis. The reason to have BCP is because they wish to remain able to provide their service or product to customers. A properly defined BCP would include considerations such as paper processes, communication with customers and suppliers, staff relocation, location of other documents and contact details.
Q1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
BCP and DRP are not synonyms rather they are different.
• Business Continuity Planning: is a policy cum implementation of measures which will ensure continuity of critical business operations after a disaster has struck
• Disaster Recovery Planning: is a set of “fail-over” arrangements which ensures restoration of systems, operations and data without loss.
Following are the differences between BCP and DRP:
a. Strategy: Business Continuity
b. Concerns principally with the continuity of business functions even after the disaster has struck
c. Objective is to ensure Enterprise wise continuity of operational activities essential for business
d. Guidance and planning derived from IT Governance and directed by Governing body
e. A broader approach of identification of critical business processes, assets and people
f. Essentially Under Governance-top down approach
g. Defining the Metrics for recovery is MUST
a. Strategy: Recovery from Disaster
b. Concerns mainly with the ability to Recover of the main systems after disaster.
c. Objective is effective recovery defined by the metrics such as Recovery Time Objective (RTO) and (RPO)
d. Guidance and planning are usually responsibility of the IT Head
e. Minimize the effect of Disaster
f. Governance is not emphasized
g. Metrics for recovery & restoration not emphasized
Business continuity plan and disaster recovery plan are different even they are both related practices that describe an organization’s preparation for unforeseen risks and continued operations.
Business continuity plan is to minimize service interruption, keep critical system online during recovery process, prioritize and cut scope and consider paper-based emergency alternatives.
Disaster plan is to protect assets to provide enormous business values. It is required by law. Some companies think that backing up is a disaster plan, however, backups are just part of a larger disaster plan, and it only protects data. In addition, backups must be sent offsite. On the other hand, IT departments have the greatest insight into company, but every other department must contribute to the disaster plan as well, because disaster planning is a business issue, not an IT issue. Disaster recovery plan should outline how a company prepares for disaster, reacts to disaster and recovers from disaster, and roles must be assigned rehearsed and revised.
BCP stands for the planning of Business Continuity and DR is actions taken to recover form a disastrous event to bring business back to continuity after an event of calamity or failure. BCP leads to DR.
Business Continuity Planning-
1. It is a blueprint of a plan if an incident occurs. BCP identifies the parameters of DR. BCP defines a plan in advance
– Critical business activities that will be continued
– What is the process that must be followed in case of an event
– Who must be informed , what is the time duration within which event occurrence must be reported
– Who will be the critical resources who will continue with the activities during and after event
– What is the timeline for disaster recovery?
– What level of disaster recovery plan is in place?
Ex. Level 1- Inside the same building on a different floor, Level 2- In the different city than the incident, Level 3- Continuity will be done in a different country than the country in which incident occurred
2. BCP consists of 1. BC Strategy 2. BC Plan 3. Impact Analysis 4. Recovery plan stages 5. How information of Incident will be communicated to all
3. ex. BCP of a XYZ project will specify that the normal activities if halted, only critical activities like monitoring servers will be continued. BCP will identity the critical resources who will continue to work in case of any BCP event.
1. DR defines the steps and procedures towards resuming the critical and normal activities after a calamity has occurred. DR defines steps to be followed immediately after an incident. DR is how to recover get back if a failure has occurred.
2. DR identifies 1. Backup Strategy 2. Risk Management 3. Emergency Response Team 4. DRP activation plan 5. DR plan for specific infrastructure ex. Media, internet, and remote connectivity.
3. DR consists of incident response, emergency response, damage assessment, evacuation plans
4. DR- ex. DR will specify that in case of incident at location A, location B resources will take over. The resources from location B will connect via the VPN to the backed up data located at located at client site.
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
I think these plans are different but reliant on each other as one covers issues and situations the other does not and vice versa. Disaster Recovery Plan discusses the specific instructions to be taken in order to resume operations in the aftermath of a natural disaster or national emergency. Overall, this plan protects a business’s IT infrastructure by providing detailed steps that employees should follow during and after a disaster. The Business Continuity Plan follows the DRP by allowing businesses to follow a strategy tailored through the recognition of threats and risk facing the business as well as ensuring that employees and assets are protected in the event of a catastrophe.
Great post Pryia and explanation. The examples you used really bring the plans to life and make the difference so much more apparent. Great job !
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
The difference between BCP & DRP is in the name. BCP is a Business Continuity Plan. Continuity means remaining constant or to continue. This means the BCP is a plan to follow when the system goes completely down. A solution is to have a Second server in place, so in the case of the “original” server were to go down, you could re-direct traffic to the Second server, or NAS device. The DRP is a Disaster Recovery Plan. This means the DRP is a plan to follow when you need to recover data or a system. A solution for this is Remote Back-Up. The data is back-up to the cloud and accessible if a user accidently deletes and email or file.
Here is a link to how ISACA. http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-recovery-planning/Pages/ViewDiscussion.aspx?PostID=72
Here is what they say:
“BCP refers to plans about how a business should plan for continuing in case of a disaster. DR refers to how the IT (information technology) should recover in case of a disaster.”
Although there is some overlap between the two, they are different and not synonyms. A disaster recovery plan is essentially a subset of a business continuity plan. A business continuity plan is much broader than disaster recovery and ensures that a business will still operate in the event of a disaster or catastrophic event. Its purview includes the entire infrastructure, including both the hardware and software, not only the data. A disaster recovery plan only ensures that the data can be recovered in the event of a disaster. However, if there is a disaster and the business only has a DRP and not a BCP, then there will likely be an interruption in business operations. It will take time to recover the data, and in then made accessible to the business. If the infrastrucutre is also damaged, then the data will remained unaccessible until the repairs are made.
Business Continuity Plan and Disaster Recovery Plan are different. BCP refers to the response strategy that kicks in in the event of a Disaster. It involves alternate planning of employee staffing, network availability, physical resources such as office space, desktops, and even power in case of a disaster. BCP are the steps taken to ensure that business continues to deliver the expectations in face of single or multiple disasters.
Disaster Recovery Plan : are the actions to be taken or steps to be performed to recover the state of IT systems to the same state as before the disaster, onto same or remote sites depending on the disaster. It includes the planned actions for restoration of data and IT systems in the event of disasters like server crash or physical harm to equipment or data centre.
BCP comprises of the actions that need to be kicked-off immediately, while Disaster Recovery may still be underway or may not have even kicked off. BCP provides the process to be followed as soon as a disaster occurs – it is the first response while DRP provides the process to be followed after the disaster has occurred and Business continuity is established.
Since BCP also covers availability of employees, it is possible that an incident can occur which would require only the BCP to be triggered and not both BCP and DRP eg: Staff being unable to travel to office due to political strikes or riots and staff located in other city filling in for unavailable personnel to ensure business continuity.
According to ISACA, a business continuity plan (BCP) refers to plans about how a business should plan for continuing in case of a disaster. It allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered at a predefined level.
A disaster recovery planning (DRP) refers to how the IT should recover in case of a disaster. It allows a business to plan what needs to be done immediately after a disaster to recover from the event. In daily practice, Disaster Recovery plan often refers to major disruption rush as flooded building, fire or earthquake disrupting an entire installation, and data branch to an organization.
• Activities required to ensure the continuation of critical business processes in an organization
• Alternate personnel, equipment, and facilities
• Often includes non-IT aspects of business
• Assessment, salvage, repair, and eventual restoration of damaged facilities and systems
• Often focuses on IT systems
In short, DRP addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are not synonyms. Rather, DRP can be categorized as a subset of a BCP. BCP is all about maintaining critical business operations following a disaster. The elements necessary for business continuity include the physical location of the place(s) of business, staffing, equipment, inventory, transportation, distribution channels and of course IT systems. DRP is considered a subset of BCP because it mainly focuses on the IT systems of the BCP. DRP is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. The root of disaster recovery is that data is kept in a secondary site, and plans are made to insure that the data will be recovered and the business can access it in a timely fashion.
Continuity represents a much larger scope of planning and maintenance than recovery. However, given the dependency most businesses have on technology, disaster recovery is usually a top priority because it supports all the other elements of the business continuity plan.
Disaster Recovery and Business continuity although sound very similar and have a lot of overlap, they are different.
Disaster Recovery outlines how a company prepares for disaster, what the company’s response will be in an event of the disaster and what steps will the company take to make sure the operations will be restored (recover from disaster). This plan should include many possible scenarios. Since causes of disaster can vary greatly, it can include causes from deliberate criminal activity to a natural disaster like fire, from a stolen laptop to power outages and terrorist attacks. There are hundreds of possible scenarios and they vary based on culture, geography and industry.
It is also important that the disaster recovery plan is distributed across the organization so that everyone knows their role within the plan and can also take over the roles of their teammates who are unable to perform their duties.
It’s a plan that outlines as to what steps an organization must take to minimize the effects of service interruptions.
For e.g.: Hospitals have generators to ensure that their patients still get the required treatment (service) even if in a case of power outage (interruption). Back when companies were mainly paper-driven and information processing was done using batch processing, organizations could tolerate a few days of downtime. Now-a-days, technology has become faster and cheaper, companies have thus began computerizing their critical business activities; companies now have systems in place to minimize unplanned downtime.
Business Continuity planning focuses on sustaining an organization’s business processes during and after a disruption.
Business continuity is based on standards, policies, guidelines, and procedures that facilitate continuous operation regardless of the incidents. Disaster recovery (DR) is a subsection of business continuity and is concerned with data and IT systems. Although BC and DR are always used together, actually, they are two different concepts.
As the definition indicates, DR is a subsection of BCP, i.e. business continuity represents a much larger scope of maintenance than the recovery of just the data and IT infrastructure. Disaster recovery (DR) refers to having the ability to restore the data and applications that run your business once your data center, servers, or other infrastructure get damaged or destroyed. One important DR consideration is how quickly data and applications can be recovered and restored. Business continuity (BC) planning refers to a strategy that describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster, enable a business operate with minimal or no downtime or service outage.
Therefore, a disaster recovery plan is more reactive while a business continuity plan is more proactive.
The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are different. Disaster recovery is a subset, which is a small part of the overall business continuity. It is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. Disasters in IT range can from minor to major: the minor loss of an important set of data to the major loss of an entire data center.
Different from the DRP, business continuity plan typically refers to the management oversight and planning involved with ensuring the continuous operating of IT functions. Moreover, it is not a data centric, but business centric. The most important point for the business continuity is to continue to do the business even if the failure or disaster occurred.
From the endnote of What Every IT Auditor Should Know About Backup and Recovery, We can get that “BCP and DRP are deferent and separate”.
BCP is about the business continues to operate if something goes wrong. DRP defines the business requirements for a Disaster Recovery Plan. DRP deals with the restoration of computer systems with all attendant software and connections to full functionality under variety of damaging or interfering external conditions. DRP will specify how the recovery of a function will be performed. In a DR plan, the individual component system recovery plans that would specify steps to recover applications.
BUSINESS CONTINUITY PLANNING (BCP) – A process that organization use to plan and test the recovery of its business processes after a disruption. It also describes how an organization will continue to function under adverse conditions that may arise.
DISASTER RECOVERY PLANNING (DRP) – A process of planning and testing for recovery of information technology infrastructure after a natural or other disaster.
Both BCP and DRP are very important to IT auditor. However, BCP and DRP are not synonyms because BCP is the preemptive process put in place in preparation for the handling of a disaster. DRP addresses the procedures to be followed during and after the loss.
DRP and BCP are both used situationally and customized depending on the needs of the companies that create and install them. The BCP is the preventative process put in place in preparation on how to respond to a disaster, while the DRP addresses the procedures to be followed during and after the loss. For example, the DRP deals with the refurbishment of computer systems in terms of getting the system’s software and connections back to full functionality. The BCP is from the business perspective and often refers to disaster recovery in terms of a failed server or database for example.
Good example Ahbay,
Hospitals usually have a special control to mitigate the risk of running out of power. It is one of the Business Continuity Plan (BCP) example, which is really important to make the patient’s safety. In the same case, companies should be able to operate at a minimum level to not affect the consumers.
Good post Shahla,
Even though both DRP and BCP sound similarly, they are totally different from each other. Disaster recovery plan focuses on how to recover from the event, whereas Business Continuity plan focuses on how to maintain its main functions during or after the event.
Great post, the video really helped me understand the difference between both Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). This video describes how they are different and simplified reasons on why. It also points out that the IT department or head should help the company write the disaster plan because they have the greatest insight of the company. Very useful video!
You are right, Yu Ming, DRP and BCP are similar but different from each other. Actually, the Disaster Recovery Plan is part of the BCP, besides DRP, there are many other methods to ensure the business continuity of an organization. For example, an effective backup plan can also mitigate the risks and enhance the continuity of the business.
Thanks for sharing the hospital example! It’s very important to have Business Continuity Plan (BCP) to guide the hospital in response to an emergency/disaster situation or a mass casualty incident. Patients’ safety should be hospital’s priority concern. Also, organizations should strengthening their capacity to scale their response to a range of events impacting operations as well.
What are the security challenges in online banking?
Question 1: What are the security challenges in online banking?
Online banking has become prominently global due to, it’s ever so easy banking platform. The convenience of online banking, allows its internet users to manage their bank accounts from anywhere in the world, at any given time. Like the HDFC, many banks have been encouraged to park take in this trend. Furthermore so, online banking saves banks a lot of resources such as operational cost, staff training, and branch and ATM investments. The basis of online banking is to dramatically enhance the users’ experiences by providing and bridging the access of their bank accounts to their fingertips.
However, since the Internet was not originally intended for banking; banks are now faced with a wide array of security risk for both offline and online infrastructures. Some of these risk include phishing scams, spamming, credit card fraud, identity theft as well as many other related cyber-crimes. Subsequently, there is not a doubt the transition to online banking has greatly improved banking globally but, the absence of proper controls whether legal or regulatory, infrastructure failures and consumer protection continue to pose major challenges for online banking operations. The objective of this case analysis is to critically evaluate security challenges faced by online banking, as represented in the HDFC Bank fiasco.
As depicted in the HDFC Bank case study, many banks and managers are being challenged with attempting to remain cutting edge as well as strong competitors. CISO, Vishal Salvi experienced this first hand at HDFC. He was being challenged with the use of new technology and software systems, all in order to remain a key player within the banking sector in India. However, one must be careful with this. They must assess and weigh the probability impact on the business as well as maintaining alignment with the business objectives. Like the HDFC Bank, many banks CISO are faced with the same three major dilemmas. “How do I ensure the security of an online transaction while still keeping customer convenience as a priority? Should I make secure access mandatory or should I leave it discretionary? Should I go for an onsite model or for a cloud model?” These questions are tough to answer because, no banks are the same and face different issues.
Yet, with the many benefits of online banking, there are many inherent security risk involved such as, confidentiality, integrity and availability. These security challenges possess many risk such as the confidentiality of personal information being exchanged, authentication in regards to the integrity of the online banking platform and ability to access the platform. Conversely, there is no doubt that all of these security risk can overlap simultaneously. With that being said, a bank must secure their transactions by possessing and mitigating confidentiality and integrity controls so, the user’s’ transactions and content exchanges with the bank remain secure; without strong authentication techniques the banks have no way to be sure that the user placing request are the person they say they are. The HDFC Bank case study exemplifies these risk when dealing with online banking. Today, technology is the future and will continue to expand even more throughout the future. Along with technology’s evolution, online banking needs to evolve as well to combat those risk. Banks need the ability to define the risks factors involved such as regulatory risk, legal risk, operational risk, and reputational risk. Consequently, although a considerable amount of work has been done in adapting banking and supervision regulations; continuous attention and modifications will be essential as the scope of online banking and technology increases.
Overall, there is no one-size-fits-all strategy approach. There are numerous different types of security dangers that affect the online banking platform. On the other hand, by focusing on a multi-layer protection approach, a bank can focus on system security, protection of consumers’ interests, as well as other factors. This approach would allow a bank to implement a mix of different factors when implementing controls a few being: shielding the authentication process from malicious activities that can affect the customer; providing customer authentication strategies which allow the user the ability to verify the connection, to then access the site; effective communication with the customers that a potential occurrence of fraud is happening and etc. Like mentioned earlier, there are many risk involved with online banking but, it is up to banks to mitigate these risk to the best of their ability with the strong use of IT Governance.
With the rise of technology and a growing number of Internet users, banks found it convenient to offer online banking to their customers, allowing them to manage their finance anytime, anywhere. However, as online banking become increasingly popular, it is more vulnerable to security threats and present various security challenges that should be addressed individually. Those security challenges include authentication, authorization, privacy, integrity and non-repudiation.
Authentication refers to the idea of virtually making sure that the user is who they claim to be. In fact, if one can pretend to be another person, the possibilities to compromise the privacy and integrity of that person’s financial data are endless. Banks need to clearly identify the person accessing the account. This is usually done using a single-factor authentication such as username and password. However, with the increasing number of online frauds, the use of single-factor authentication has been inadequate for guarding against account fraud and identity theft. Hence, banks add more layers of security using multi-factor authentication, consisting of using two or more factors together, to protect customers’ identity. The main issue with multi-factor authentication is user fatigue. Indeed, as mentioned in HDFC Bank case study, customers want “simplicity” whereas authentication requires them to enter username, password, answer to security questions and more, in order to only make a simple transaction (pp.8).
Following authentication, authorization is another security challenge in online banking. Users need to not only be authenticated, but also have the permission to make a specific transaction. The authorization process is another layer of security added to protect customers’ accounts. For instance, a large transaction may require approval from the bank before going through. During this approval time, the bank has the opportunity to verify if the person who initiated the transaction is an authorized user. SafePass used by Bank of America online banking illustrates this concept well. It uses a 6-digit one-time code sent in a text message to the user’s registered mobile number, to help verify their identity before authorizing certain transaction, including higher-value transfers or log in from unusual devices. Authorization, like authentication, can be seen as tedious for users in a hurry to make a rapid transaction for example.
Moreover, privacy should be of major concern in online banking because it can lead to unwanted exposure of information, which can be used to commit ID theft. The main challenge here is to teach users how to protect their privacy while accessing their online account. Indeed, personal privacy is threatened the second users log on, and this is the main fear of customers in India who would rather use physical locations. However, some privacy safeguards can be used to minimize the risk. These include, strong password, secure devices and limited personal information sharing on social media. Additionally, when it comes to transactions, banks must create secure platforms ensuring that the exchange of sensitive information is only between the two parties involved and no one else. In other words, the sender’s personal information should be kept secret in order to increase the security of the transaction.
Above all, data integrity and non-repudiation should be part of the online banking IT security system because they protect banks from frauds. Data integrity refers to the idea that banks should have security protocols leveraging encryption for transferring data. This will ensure that information can only be accessed and modified by authorized users. Similarly, non-repudiation implies that online banking should be monitored in a way that would prevent customers from repudiating transaction they authorized. For example, if users deny and claim refund for transactions they intentionally made, the bank should have the necessary tools to prove otherwise.
A strong IT security system should take into consideration the security issues that online banking presents. Those issues are authentication, authorization, privacy, integrity and non-repudiation. Indeed, online banking offers an easy access to financials account, which makes it the main target for phishing attacks. However, understanding the risks and challenges involved will allow banks and customers to safely protect their data.
Great analysis Laly.
However, when you say that “no banks are the same and face different issues,” it is both right and wrong. To me, when it comes to online banking, all banks have the same issues, the same security challenges in that case, given the nature of the service they provide to customers.
Perhaps in another context like financials or organizational structure, that statement may apply.
You summarized it well Magaly. Great point about a strategy not being one-size-fits-all approach. I think the basic issues remain the same but the ways to implement them become different for organizations dependent upon the business operations, geographical location, the core business function and different cultures where the business is active.
Like in this case, HDFC bank has to deal with two main problems. One, maintaining trust of customers who are used to offline and in person banking. Two, the trust is at stake even with dormant customers who have created account online but do not use it.
Another important thing to discuss if giving IS security to a vendor who is expert a good choice over in house management? In case of HDFC when they were exploring a new area and trying to recover out of so many problems, it was better to take expert advice. That would save a lot of time as experts would not be experimenting, RSA was already an expert and had explored the security solutions.
HDFC Bank is one of the leading private banks of India. This case analysis will focus on the question, what are the security challenges in online banking, and I will provide a recommendation.
Online banking is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution’s website. Not only HDFC Bank were facing security problem of online banking, but also all of the online banking faced the same security problems. For example, phishing attack is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. According to the case, “customers were receiving e-mails claiming to have originated from the bank and seeking sensitive account information, including passwords and personal identification codes.”
Additionally, there is a competitive banking environment in, so many banks quickly start online banking for taking more market shares. It will lead to the online banking system vulnerability. Many customers are apprehension about online transactions because online banking is still in its early stage in India. What’s more, RBI announced a set of guidelines for online banking, however, Indian banks may not follow them. “RBI observed that at present some banks do not have proper security policy and methods to monitor the service level agreements with third parties and have inadequate audit trail.” (Comparitive Study of Online Banking Security System of various Banks in India, Rajpreet Kaur Jassal)
As the CIO of HDFC bank, Salvi had provided HDFC’s dilemmas in strengthening security in order to face these challenges. Firstly, HDFC bank balanced between customer convenience and system security. According to the case, “she had to strike a balance between keeping the IS transparent to the customer (so that he or she breezed through an online transaction without barriers) and making it effective from the bank’s point of view (so that the bank was not taken for a ride by potential fraudsters).” Second, she had to increased the secure access. “Salvi was planning to introduce a second level of authentication for all online customers… and beneficiaries.” The beneficiaries mean “another major part of secure access was asking the customer to provide the bank with a list of account holders with whom the online customer’s transactions would be periodical and regular.” Third, she selected the secured server location. Locating the servers onsite or offsite should be decided by Salvi, according to two models’ advantages and disadvantages. “The main advantage of the cloud, as its name suggested, was that it was fluid and elastic. It could expand and contract depending upon the need of the user to scale up or scale down the relevant computing services.”
It is necessary for Salvi to solve those issues, and I provide some recommendations for Salvi in order to increase the level of the security as followed:
1. Creating cyber security policy and making Internal control. HDFC bank should follow the RBI regulations to create a security policy for bank, which can provide specific documented business rule to protect information and systems in order to optimize risks and resources. It is critical for a bank to understand the role IT plays in order for the department to help the bank succeed.
2. Increasing level of secure online bank system by layered security approach. When the bank accepted the transaction, it should be verified by Visa, MasterCard Secure Code and JCB J/Secure. Additionally, the bank should monitor the irregular large amount billing transaction. The bank also can use the adaptive authentication for e-commerce. Those methods would minimize the risk of the transaction by online bank system.
3. Freezing dormant accounts. If the time that customers don’t use the online accounts exceeds 6 months, the bank will able to freeze the dormant accounts automatically. Users can reactive their accounts online by using their authentication information.
4. Building up cloud computing with dedicated bandwidth. Although this practice cost lots of money to the bank, it is the most reliable to provide trustworthy financial services to customers.
Overall, those recommendations can help HDFC improve secure online system, and those recommendations also can be used by other Indian banks.
What are the security challenges in online banking?
Online banking has become a trend as we can see in exhibit 2, millions of people are using internet today. Usually, when you open a bank account, it will come with an online account. Online banking had two components: net banking and mobile banking.
Therefore, we can analyze some major problems in this two components first:
Challenges that faced in net banking:
Most computers have the function of “remember your password and username” now. Banks should eliminate this function when design the online bank websites.
Challenges that faced in mobile banking:
Smartphones have security flaws itself, click on a simple link can bring malware in the smartphones. In 2014, a security expert named Winston Bond demonstrated how easy it was to reverse engineer mobile app: decompiling them back into source code, altering the behavior of the app, and reuploading it back onto the app distribution servers (Makeusof.com).
There are nine most common online frauds that banks should be aware of: Spam, scam, malware, phishing, pharming, man-in-the-middle, man-in-the-browser, replay attack and crimeware (Exhibits 7). HDCF bank was suffered from the phishing attack in 2007.
The overall challenges for online banking (net banking and mobile banking):
1. Adaption: in the light of how rapidly technology is changing today, adapting different version of online banking is the first thing that every bank should think of. The password system, management of database, applications and etc. need to update to the newest technology in order to mitigate the risks.
2. Legalization: new methods of conducting transactions, new instruments and new service providers need to require permissions from regulation departments. For example, it will be essential to define an electronic signature and give it the same legal status as the handwritten signature (imf.org)
3. Harmonization: since most banks have branches in different countries, they may have different regulations among countries. The international harmonization of online banking is also a challenge for banks. They need to adjust their systems and applications based on a country’s law and culture.
4. Integration: Salvi mentioned in the case that for HDFC bank, an IS framework, in the light of the changing ecosystem, has three dimensions-technology integration, business integration and risk integration. This is the process of including information technology issues and their accompanying operational risks in bank supervisors’ safety and evaluation.
Question 1: What are the security challenges in online banking?
Online banking is popular because it’s accessible, quick, and convenient. With the biggest network ever created (Internet), online banking became a “must have” for banks. Even banks in developing countries are implementing online banking. It’s eliminate long lines in the bank and make it easy for customers to monitor their transactions. It is so convenient that some banks operate only online. Unfortunately, security is a big issue. This easy access to your bank account makes online banking a target for hackers.
In fact, as it is easy for the customers to access their accounts in few clicks, it is also easy for a hacker to find a way to penetrate the system. Online banking presents several security challenges like phishing scams, identity theft, credit card fraud which also shows that hackers are not only looking for your money but also your personal information. Online banking is a double-edge sword.
In our specific case, Mr. Salvi the Chief Information Security Officer (CISO) of HDFC Bank is facing many challenges with managing online banking in the bank. After a phishing attack in 2007, HDFC took corrective measures and contracted IS security solution provider to set up a 24/7 command centre. Mr. Salvi must find a balance between customer convenience and security. The more barriers you put between customers and their account, the more you irritate them.
Authentication is one of the biggest security challenges in online banking. The bank system must be sure that the person logging in is the right person. One of the solution to counter this challenge is to implement a two-factor authentication. It’s requires a second code when logging into your account. Mr. Salvi is planning to implement that solution in HDFC bank but faces another dilemma. Whether to provide secure access to every online user or limit it to active users.
Another security challenge in online banking is how to protect the IS infrastructure. In the HDFC bank case, Mr. Salvi is hesitating between having his servers at the bank data centres or hosted by an IS vendor. Both represent a risk and are vulnerable to hacker attacks. The servers (authentication servers and online servers) are crucial for the bank operation online. The challenge here is not where to store the servers but how to protect them from intruders.
Online banking security challenges also respond to the CIA triad. There is a confidentiality risk to the extent that personal information is being used. Confidentiality can be seen as privacy, and in online banking you don’t want your sensitive information to be shared with anyone. Once a non-authorized person has access to your information it affects the integrity of the information. This is why authentication is really important in online banking. The bank must prevent other people than you from accessing your account. The bank also needs to secure and protect its infrastructure in order to avoid disruption of the service. Customers want to be able to access their accounts 24/7, and it is the bank job to make sure customers access their accounts in a secure way.
In my humble opinion, customers are also a security challenge for online banking. People are the weakest link in IS and represent a danger to themselves. Most of the time, it is by people that hackers intrude systems. It is important that customers understand the danger of the Internet and protect their information before any additional protection from banks. The root of the problem is that people (customers) want convenience and don’t think about the consequences. Some people write down their passwords or use the same password for different accounts. Other save their passwords in their computers… I think banks should educate and provide weekly security tips (precautionary measures) to their customers.
The bank should also develop a strong IT system which will reduce the risk of security breaches. Another way counter cyber-criminality in online banking is to work together. Banks should create an organization where they will share their bad experiences and design together solutions.
What are the security challenges in online banking?
Online banking offers benefits to both banks and their customers. Banks can offer more services with greater availability with less resources. Customers gain added convenience and availability to their money. Many transactions that used to require visiting a local bank branch to complete can now be done online or on a phone. Banks benefit by offer the same service without requiring a physical branch, and customers can complete the transaction anywhere and anytime. As the article noted, banks were uniquely suited to build and convince customers to use mobile banking applications because of a strong public perception of risk management and security. The Internet however, is an inherently insecure entity, and presents numerous risks to banks as more banking applications migrate to the Internet.
Banks face the same problem as many other industries with cyber security, the delicate balance between security and convenience/accessibility to customers. Too much security can often lower convenience for customers, making the process more cumbersome. Too little security with a convenient platform may create a better experience, but will likely expose customers to more cyber threats. Customers will not use a mobile banking platform that is not secure.
The article lists five areas for online banking security that must be addressed: authentication, authorization, privacy, integrity, and non-repudiation. Authentication ensures that the user access the bank account is the correct user. Before any transaction can proceed, the correct user identity must be established. Authorization then validates if that user has permission to complete the requested transaction. A customer should only be allowed to make transaction specific to his/her account, and should meet regulatory/compliance guidelines. Users also expect the bank to protect their privacy and not allow a third party to access financial transaction data without permission. Purchases, transfers, and other transactions are not public knowledge and people will not use a bank that does not protect customers’ privacy. Integrity refers to the inability to alter data related to the transaction. Both parties must trust the data is accurate or customers and the bank may lose confidence in the system. Last, non-repudiation prevents either from denying consent or communication regarding a transaction. A customer cannot sign a document with a digital signature and then later contend that they did not. Or the bank cannot authorize a transaction and then deny it at a later date.
Said, Thanks for the post. You’ve summarized the challenges of online banking very well. I agree with you that the people are the weakest link in any information security program. Aside from the people using a bank’s online resources, you have the people internal to the bank that may be subject to, intentional or unintentional, fraudulent activities. Some other major concerns, regarding people, in this mobile banking environment is the sheer size of mobile applications that people install on their devices. Apps tend to continue to share more and more information with each other causing concerns of what information is actually being shared about you. Say for example you downloaded an app, and without your knowledge or consent, the app collects information on the apps you have installed on your phone. The information collected had online applications for banks such as Bank of America or Citibank, and is sent to a hacker. Now the hacker has personal information about you, from signing on with Facebook, and knows what banks you use. They can use this to target you with phishing scams to get you to reveal your account information for Bank of America or Citibank.
I respect your opinion in that regard. However, I do believe banks have different issues that are more situational and not universal. What one bank lacks, another could not. Generally speaking, the IT industry is very new and constantly evolving so the security challenges do apply but, like mentioned above they might need to be handled differently because they must align with the business’s objectives, location and size. Nowadays, banks are facing plenty of challenges such as not making enough revenue, consumer expectations, competition from financial technology companies, and regulatory pressure. Though these issues may be prevalent across all boards, they need be handled in a manner that positively impacts their business.
Thanks Priya. Great additions. I completely agree with your context in regards to the approach. One must take into account the other factors when implementing strategies. As of the expertise aspect, you hit the nail on the head with that one, The CISO should have acknowledged his lack of experience within the Online Banking realm and should have sought out guidance. It is never wrong to need help and ultimately, if he had done so, they wouldn’t have probably a victim of phishing scams.
Well summarized Said!
Towards the end you suggested that, “banks should educate and provide weekly security tips (precautionary measures) to their customers”, which is a great control in the disclaimer aspect. Personally, I would love if my banks did that or even have yearly password updates.
As for the banks coming together to discuss knowledge, in theory that sounds amazing. However, at the end of the day banks would rather not disclose their information especially, to their competitors. It’s sad how the business world works in that regard but, it most been done to stay prevalent.
Question: What are the security challenges in online banking?
As the rank top 15 bank in India, HDFC had $15.64 billion Deposits in 2007. In the same year, 1.28 million customers, which is 28% of the HDCF Bank’s retail customers claimed that they were the target of a phishing attack, many of them hold the online banking account of HDFC Bank. In this case, the bank’s online banking system and its information assets are challenged.
Generally, the security challenges in online banking are both existing for the customers and the bank’s online banking system itself. From the customers’ perspective, the first challenge is protecting the personal identify information (PII) like the account number and online passwords. Besides, ensure the physical protection of debit and credit cards are also important for the online banking users. On the other hand, the online banking system also faces security challenges from internet attack like unethical hacking.
In order to avoid the identity theft, online banking users should carefully keep their personal identify information like the account and passwords of the online banking system. Especially for those who operating on PCs, before input the sensitive personal information, ensure the antivirus software is protecting the system. Attackers may monitor the system data flaw through malware and copy the passwords. According to the article, many online banking users in the HDFC Bank got phishing attack. The process and concept of the phishing attack is not complicated: Phisher designs campaign and sends to huge quantity of bank account holders via different approach like spam email or spam message with a link. If the user clicks on the link, the PC or mobile device will be attacked by Trojan. After that, if customer input the sensitive information like online banking account and passwords, the Trojan will record the information and send it to the Phisher. With the bank account information, Phisher can log in the online banking system through the customer’s personal identify information. Therefore, if the online banking users in the HDFC Bank loss the PII by phishing attacks, attacker may allow to access in the system and transfer the money on victims’ online bank account. This will damage the HDFC’s reputation and cause huge negative influence in its online banking service, because HDFC’s online banking system failed in protecting customer’s assets.
To mitigate the risk of attackers logging in the online banking system through victim’s online banking account, effectiveness of secure access and server location are very important. In the most cases, attacker will log in the online banking system in a different location. For example, if the user usually logs in the system in New York City, but it suddenly logged in from the UK in the same day, the system should double check the identify information by sending a confirm email or text.
Security challenges in online banking are :
• to have a trustworthy IT system that is not cumbersome to use for a customer –
Banking systems need to be able to strike a balance between being safe and convenient.
• to have the system robust enough to handle the different types of cyber attacks such as phishing, malware, pharming
• to have a system that ensures privacy in transactions such that the transaction data between two people is only available to the concerned two parties and no-one else
• to employ different validation and authentication checks for different types of transactions
• to ensure that dormant accounts were protected aswell as they were susceptible to being hacked without getting noticed or reported
• to employ, in the event of an attack, a mechanism where by the attack is detected quickly and subsequent action is taken to stop further damage
I like how you mention “Harmonization”. This reminds me of companies located in different states and have different taxing procedures with goods / services.
Here is an example:
Everyone has a cell phone and the taxes associated with the phone & service are based on individual State regulations. One person in PA will have to pay taxes on a new phone, but a person in DE won’t.
The rules and regulations surrounding communications varies from a Federal standpoint to a State standpoint.
An Important Message to Yahoo Users on Security
Yahoo, the tech company, has recently disclosed that it had been breached with over 500 million accounts compromised. According to haveibeenpwned.com, a website that allows users to search if their accounts have been breached using information from the web, the Dropbox breach could potentially be the biggest breach in history with the largest breach currently being MySpace with close to 360 million accounts compromised. The breach had occurred in late 2014 with the information being stolen including names, email addresses, telephone numbers, dates of births, and hashed passwords. Yahoo had identified that the breach was the cause of a state sponsored hacker, which is to say that the individuals for the attack had political motivation or support.
While this may seem just like another data breach that we hear on the news, the two areas that make this breach important is the size and how long it took Yahoo to publicly release the hack. According to the fortune article, many states require companies to report a breach within 30 days in order to protect users. However, Yahoo has had acknowledged that accounts were for sale online in August and have just recently prompted users to review their online accounts and activity. Due to Yahoo not taking the necessary actions to warn users in a timely manner (within 30 days), Yahoo might be facing legal issues going forward. For myself at least, I normally think of the damage of data breaches being a loss in reputation or having to pay for damages done to the users. However, fines for not following the law are another costs that could affect those in data breaches. I will need to keep posted on this breach as Yahoo reveals more about the attack to the public.
Your smart cars are at risk!
While electronic accessories and smart cars add leisure in cars it also increases security issues.
Are you an owner of Audi or Volkswagen? What is the issue?
Volkswagen, Audi, Seat, Skoda key less cars produced over the last 20 years are vulnerable to hack attacks due to cryptography keys. The car manufacturers are dependent upon constant key scheme and thus vulnerable.
What is the attack?
Attackers use simple radio signals and can use a simple $40 radio for the attack. Hackers can identify the car, intercept the radio signal sent from a key fob to the car, then get the cryptographic “password” associated with the vehicle. That cryptographic key would then need to be paired with another special key. With the constant key scheme used, makes it easy to detect. The bad news is that the task would not be a serious challenge for a professional hacker, and if they ever found the special cryptographic key, they could leak the details online.
How can it affect you?
Although the mechanism cannot start the car it can still unlock it. This is a major physical security and theft issue, corporate scandals and theft.
With the newest technology to have driver less cars, this can be a major threat to human safety.
Who is safe?
VW’s cars built on recent MQB platform, Golf , Tiguan, Touran, Passat models were not vulnerable to this attack.
I had read this news earlier and that time Yahoo had not accepted that the data has been breached. They said they were investigating. The news I read dated back to Aug 2nd. Prior to publishing the news, Motherboard, has tested 5000 records and they had claimed that not all but few accounts were accessible. And the accounts which were not accessible was due to password change as data dated back to 2012.
Now that Yahoo has accepted the breach, it has already been more than a month. The sale of accounts was already active on the dark web and data lost has potential further loss.
The article I found is about a new tactic adopted by cyber criminal in Melbourne. It seems like they now drop in random people mailbox infected USB drive hoping that someone would plug it in their computer and give them access to their data.
One would think that with so much awareness of data breach and hackers as well as the potential danger of USB drive, people would not even try to public the device on their computer. However, I was surprised to know that many people were too curious and ended infecting their computer. This raise the question of whether or not cyber criminal are now leveraging human psychology and use it as a tool to get to people. A study conducted by researchers from the University of Illinois, the University of Michigan and Google, found that all of the target people not only plugged the USB drive but also open the files. Why is that? It is certainly not due to a lack of awareness.
This is crazy! I guess we are not safe anywhere anymore. Whether you use your phone, your computer, your car or even the ATM machines, you put yourself at risk one way or another . The funny thing is that, it will get even worse with the rise of technology.
They say we should be embracing new technology but it definitely come with a big package.
Thanks for sharing Priya!
Hackers Leak Michelle Obama’s Passport Online
A scan of First Lady Michelle Obama’s passport has been published online, the feds are investigating the breach now. The scan appeared on a site with suspected ties to Russia, DCLeaks.com. The hacking group also published other confidential information like travel details, names, social security numbers and birth dates. The scan appeared to have been taken from a Gmail account belonging to a low-level White House contractor.
Last week the group published personal emails from former secretary of State Colin Powell, with critical comments about presidential hopefuls Hilary Clinton and Donald Trump. DC leaks is suspected to be linked to Russian intelligence services. Also, DCLeaks’ registration and hosting information aligns with other Fancy Bear activities and known tactics, techniques and procedures.
It seems like Russia hacking organizations had attacked American systems for several times—Hilary Clinton’s email, American athletes’ medicine records and this time Michelle Obama’s passport. However, it is difficult to understand their purpose. Those three events don’t seem to have commons. It is a threat that they may make troubles for the election day of president. Also, it is a warning call for the government to see how vulnerable their systems are.
Mengxue, thanks for sharing this news. You have brought up an interesting question here. What is the purpose of hackers exploiting identity theft?
Mainly that happens not for a direct monitory gain. A person may steal personal information to get details of your personal life that can be used while committing a bigger fraud.
Another reason is that hackers want to blackmail the target and get easy cash. I had read about an incident where the hacker stole health data and blackmailed patients about disclosing their persona information in public.The hacker could have a revenge motive.
Flaw with IOS 10 allows hackers to crack password:
A severe security flaw was uncovered in the new release of Apple IOS 10 which can allow hackers to crack password from backup 2500 times faster than before. The new password verification method is 2500 times slower that IOS 9 backups. Elcomsoft researchers discovered that when IOS 10 backup is saved in itunes, a password cracking tool can be used to conduct brute force attack at a rate of 6 million times per second and can also decrypt the entire content of the backup including the keychain.
Apple is working on security update to fix it. Apple has since modified its OS to restrict private APIs. But yet one can find a way around this restriction. This may not be fixed just by an update and not sure how quickly this can be fixed. Probably along with the IOS 10 update, the itunes also has to be updated and the backup format also may need to be changed.
IOS is known to be malware free or threat free. Seeing this I feel that no organization can take its security lightly and should always be ready to face the threat no matter whatever preventive measures they take.
Article: US Issues Federal Security Guidance on Self-Driving Cars
In its most comprehensive statement yet on autonomous vehicles, the US Department of Transportation has issued a 15-point set of federal safety assessment guidelines covering issues like cybersecurity, black box recordings and how a vehicle would deal with potential ethical conundrums.
When it comes to cyber, the guidelines say that “the manufacturer or other entity should address the cross-cutting items as a vehicle or equipment is designed and developed to ensure that the vehicle has data recording and sharing capabilities; [and] that it has applied appropriate functional safety and cybersecurity best practices.”
On the privacy front, DoT said that manufacturers’ privacy policies must explain how they collect, use, share, secure, audit and destroy data from vehicles, offering choices as to how personally identifiable information (PII) like geolocation, biometric and driver behavior data is accessed and used. It also said that manufacturers should collect and retain the minimum amount of personal data required to achieve legitimate business purposes—and keep the data only for as long as necessary.
Spot on the news post Paul! To piggyback off the previous post, it’s a shame it took so long for Yahoo to disclose this information.
Priya, most definitely agree with that email notification. The brunt of the backlash would have minute. Unless, Yahoo wanted the bad publicity. I would like not to think so, but reading some Twitter users tweets regarding it was pretty funny about yahoo doing a publicity stunt.
The article I read is about how mobile devices and mobile security is likely to become the next corporate focus for security executives because in recent times, hacks and exploits have become more successful. In fact, it is now a fact that mobile security NEEDS to be part of the broader policy and procedure mix because most incidents are due to employees failing to follow basic security instructions and procedures. Securing mobile devices is tricky because of the above fact, because employees lose their devices, and because often time’s people use their own unsupported devices for work. Researchers have found that pins and password can be stolen from mobile devices with 80% accuracy on their first hack and 90% on their second attempt. The reality is that while executives want to bring in the latest and greatest technology in mobile technology but even the latest mobile devices are one of the weakest links in corporate security. So the bottom line is that mobile security, protecting data, securing networks, and training employees to take security seriously is going to be a huge focus and challenge for security executives moving forward.
***********Disclaimer: Posted this new article by accident on week 4 -_-************
This article goes into explanation about the massive hacks that have been happening via Dark Net to huge companies. A few of these heavy hitters that fell victimized include: Apple, DropBox, Uber, McDonald’s, Ebay, etc. As many of 85 companies have been targeted by these “Russian hackers”.
The article goes into further details that there is no knowledge regarding the identities of the perpetrators and no links have been established foreign governments. Yet, if the information that was seized by these hackers are valuable; they elude that we can expect to see these stolen credentials for sale on the dark web.
Firefox browser vulnerable to Man-in-the-Middle Attack
I found an article about Firefox browser, which a critical vulnerability resides in Mozilla’s Firefox browser, allows attackers to launch MITM attack. This can deliver the malicious update on targeted computer.
The main issue exists on in Firefox Certificate Pinning which is an HTTPS feature that makes sure the user’s browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.
Mozila announced that they schaudlued to realease Firefox 49 on September 20, users should update to new version and disable automatic add-on on updates.
Really interesting article. I think they have released updates concerning the issue. Also, iOS is far from being malware free or threat free. It’s just because more people use Android and Windows phones. So hackers put all their energy in those OS as it’s more lucrative.
Hackers stole airline miles to book a hotel room or airline
It’s easy for hackers to get into your airline and hotel rewards accounts, then use your hard-earned points and miles for their own gain.Hackers might use passwords from lower-security sites like shopping platforms or chat forums and try those same passwords on frequent flier accounts, or they might send out phishing emails to trick customers into giving away account information.
The article I read this week is called “Chinese Hackers Remotely Control Tesla Cars.” It talked about that Chinese researchers have discovered major security vulnerabilities in several Tesla car models, allowing them to remotely apply the brakes, open the boot and perform other actions which could put drivers in danger. In addition, the cyber-attack allows to fold the car’s wing mirrors when it changes lanes while driving, and allows to brake the car when in motion. This was the first case of remote attack on Tesla cars. Other professions argued that it is the modern car’s connectivity which often leaves it exposes to attack, especially as mechanical and electrical engineers don’t have the requisite TCP/IP skills to develop secure implementations. And he listed several focuses: “open source to improve the quality of the software; forging a root of trust in hardware to ensure firmware can’t be reflashed and replaced; and security-by-separation via hardware-assisted virtualization, to ensure lateral movement inside embedded systems is not allowed.”
As a result, Tesla has fixed the issues and claimed that the bug could only be exploited if a car was physically near and connected to a malicious wifi hotspot.
Synopsis of “Swift Reports Summer Cyber Attacks on Three Banks”
Since this week’s case study was online banking, I thought this article was interesting because it points out that not only online banking is vulnerable to cyber attacks.
Swift is a company that provides a financial messaging network to business, banks, and other financial institutions to make transactions, which includes real-time payment systems. It currently connects 11,000 institution in over 200 different countries.
Hackers were able to create and transmit fraudulent messages requesting money transfers to a third-party beneficiary. Some of the banks hit were in Bangladesh (India), Ecuador, Ukraine, and Vietnam. A total of $81 million has been transferred by hackers, and SWIFT CEO warns financial institutions to take additional precautions to secure their local networks.
To learn more about SWIFT: https://www.youtube.com/watch?v=t_lPPxUwdM0
Russian ‘Fancy Bear’ Hackers Hit Mac OS X With New Trojan
Fancy Bear has been spotted using a new Trojan that targets Apple Mac OS X machines. The group used a phishing email to lure the user into downloading a file that looks like a PDF but instead is malicious executable code. The victim works in the aerospace industry, and though he/she was downloading a file containing Russia space program. Once the victim opens the file or link, a decoy document with a PDF-looking icon appears.
Until now, the group was mostly attacking Windows machines in its targeted attacks against government agencies, nonprofits, non-government organizations.
This is really interesting because people think Apple OSs are not vulnerable to attacks; whereas, more and more hackers are developing malware to attack those OSs.
New MarsJoke Ransom-ware Targets Government Agencies
State and local government agencies, K-12 educational institutions, healthcare, telecommunications, insurance are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant.
The MarsJoke ransom-ware email campaign featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns.
The attackers use the subject lines such as Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package”, to convince victims.
It creates .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. Infected users need to follow the instructions included in a locker window. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.
In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.
NEWS: “Leaked NSA Hacking Tools Were ‘Mistakenly’ Left By An Agent On A Remote Server”
The Shadow Brokers, a hacking group published leaked data including hacking tools that were made to inject malware into various servers and also leaked “best files” of some sophisticated “cyber weapons” and put them on sale for 1 million bitcoins. The Shadow Brokers obtained all these tools by hacking an NSA-linked group.
It turns out that the NSA’s private zero-day exploits, malware and hacking tools were directly hacked. A former NSA employee left these tools on a remote server three years ago and a group of Russian hackers discovered them, according to investigation by Reuters. These hacking tools helped hackers to exploit vulnerabilities in systems of Cisco, Juniper and Fortinet.
The careless employee did realize the mistake and reported it to the NSA shortly but instead of notifying the affected vendors about the associated risks, the NSA kept quiet. When the NSA’s cyber weapons were released in public, Cisco and Fortinet “the leaked zero-day vulnerabilities were legitimate and issued out patches to fix those exploits.”
Hackers will continue to use the exploits to launch cyber-attacks and some of the Cisco customers were targeted as well; Cisco released a new zero-day vulnerability from the data that was dumped publically.
I read the article named “IOS 10 Flaw Could Expose Backup Data to Hackers”. The article points out that the IOS 10 operating system skips certain security checks during the backup process. Indeed, this can increase the running speed of the system, however, comparing with IOS 9, the newest vision of IOS operating system higher the risk of being hacked, which may cause serious data leak of users’ personal information. According to the article, the IOS 10 potentially give hackers access to information stored in a user’s Apple Keychain. This could include passwords, credit card information and WI – Fi network information. Apple confirmed to Forbes that it was aware of the issue and was working on a fix.
IoT devices being increasingly used for DDoS attacks
IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. Today, attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks. The number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging.
Just this month the security vendor Sucuri reported on a large DDoS attack launched from 3 different types of botnets (CCTV botnet, home router botnet and compromised web servers). While not commonly seen in the past, attacks originating from multiple IoT platforms simultaneously may be seen more often in the future, as the amount of the embedded devices connected to the Internet rises.
Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam.
Majority of attacks originate in US and China –
Analysis of a Symantec honeypot which collects IoT malware samples found that the highest number of IoT attacks originated in China, which accounted for 34 percent of attacks seen in 2016. Twenty-six percent of attacks stemmed from the US, followed by Russia (9 percent), Germany (6 percent), the Netherlands (5 percent), and Ukraine (5 percent). Vietnam, the UK, France, and South Korea rounded out the top ten.
How to stay protected :
• Research the capabilities and security features of an IoT device before purchase
• Perform an audit of IoT devices used on your network
• Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”
• Use a strong encryption method when setting up Wi-Fi network access (WPA)
• Many devices come with a variety of services enabled by default. Disable features and services that are not required
• Disable Telnet login and use SSH where possible
• Modify the default privacy and security settings of IoT devices according to your requirements and security policy
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Regularly check the manufacturer’s website for firmware updates
• Ensure that a hardware outage does not result in an unsecure state of the device
The mobile devices have been one of the weakest links in corporate security because most organizations have began using mobile devices to increase the operational efficiencies but they don’t have strong control or security in place. It is very important for the organizations to take it serious to set up strict policies for whose employees using their own devices for work. I am very shocked that how easy and accurate it is to steal our pins and pins and passwords on the first and second attempt on out mobile device.
Bad Security Habits Persist Despite Rising Awareness
In the spirit on “Creating a Security Aware Organization Week”, I found an article that actually bring bad news about this topic. It seems that a survey was done in 2016 which found that despite 79% of organizations feel that they learned lessons from cyber-attacks and improved security, only 25% deployed malware protection, followed by endpoint security, 24% and 16% deployed security analytics. They also found that 40% admitted to store privileged and admin passwords in Word document or spreadsheets, which is a worrying practice. Another point of worry is almost half (49%) of the respondents allow third-party access to their systems and public sector firms are doing a poor job of securing that access. 21% admitted to not securing connections at all while 33% do not monitor third-party activity on their network.
Those tweets are pretty funny! Unfortunately, I wish it could be just a publicity stunt but instead this hack was backed by some government. I recently just read another interesting article on the breach and it gives a couple of examples of why a government will support such hacks.
Interesting article Yulun,
In fact, security is not just about information security of an organization but all electric devices including cars, mobile phones and computers. I am imagining that how dangerous and scary it is to remote a testa car while someone is using the auto drive feature of Testa.
Uber’s new selfie check helps make sure riders get the driver they’re promised
Uber has announced that it will require drivers to take selfies before signing on to the platform and accepting ride requests. The new feature, called Real-Time ID Check, uses Microsoft machine learning to compare a selfie snapped in the moment against a driver’s registered profile pic, which Uber says is designed as a protective safety measure for rider and driver alike
On the rider side, it means the driver you’re getting is the same one who went through Uber’s onboarding process. Plus, it may avoid things like “ghost driver” phenomenon.
On the driver side, Uber notes that this will prevent driver fraud, by essentially requiring an additional verification measure each time you login. The equivalent Uber is looking to evoke seems to be with bank account security – it’s aiming to protect drivers against identity theft.
Interesting article, I also used to think that Apple computers or its OSs are more secured against cyber attacks. In fact, none of the operating systems(Linux, MacOS, Windows) are perfect in security. Employees can still open phishing emails even though the OSs are perfectly secured. I recalled from our class that some organizations send out testing phishing email to see how their employees react to that. If employees do open the phishing email, they will be sent to complete specific trainings.
Thanks for sharing this news, I think that we should avoid giving our personal information in some unsecured websites, but in fact, it is hard to define which website has lower security so I will tend to trust large companies because they would invest more in securing their websites.
The article that I selected this week is regarding the massive breach from 2014 of over 500 million customer records were stolen by what Venafi (security consultant brought in after the breach) said was a state sponsored breach by a China group. The records were found for sale on a dark web site called The Real Deal. There are also accusations being tossed around that Yahoo’s CEO, Marissa Mayer, was aware of what was described as a devastating breach long before the breach was made public. The fallout from this breach could have far reaching impact as the timing of this being made public couldn’t have been worse as Yahoo was in the process of selling their core business to Verizon and the filings to the SEC for the purchase were made just last week. During that process Mayer also said she had no knowledge of any serious breach of Yahoo’s internal systems or users accounts. It appears that this was completely untrue and may end up terminating the sale to Verizon. This brings up serious questions as far as what the Chief Executive’s duty is when a breach of customer records is identified as far as notifying the users as well as making it available in the case where the company is up for sale to potential buyers. In addition to the implications of the Verizon acquisition, a class action lawsuit has been filed stating that they were negligent in protecting users data. The issue at hand is that it appears that Yahoo was using outdated algorithm and outdated certificates to create a relatively easy target for motivated individuals.
Hospital Security Fears as Pagers Come Under Spotlight
This article talks about all healthcare organizations should immediately re-evaluate their use of pagers because unencrypted messages can be intercepted and spoofed with potentially life-threatening repercussions. Following are the key points that Trend Micro claimed in its new Leaking Beeps report:
• Pager messages can be simply decode by a software-defined radio (SDR) and a $20 USB dongle.
• It enable remote hackers to spy on sensitive protected health information (PHI) being sent to and from facilities, including names and medical diagnoses.
• hackers could sabotage medical prescriptions by spoofing messages intended for pharmacies; direct patients to the wrong operating room; create havoc by declaring emergencies inside facilities; and even steal the identities of dead patients
What actions should be taking to prevent spoofed messages?
• limiting the transmitted of relevant documentation/ information on the receiving end
• vendors should include pre-shared key encryption(PSK) in pager to protect customer privacy and
authentication needs to be designed into the firmware
Brits in Biometrics Boost as 20% Use Fingerprint Tech
While PINs and passwords (63%) are still the most popular way to authenticate via the device, nearly a quarter of respondents (21%) said they use fingerprint sensors to do so. This article highlights that pins and passwords are not safe anymore and there is a growing need and influence of biometrics in cybersecurity. A majority of UK firms are expecting to increase their spending on biometrics in the next three years.
In fact, hackers can easily crack passwords by trying millions of word combinations but it is much hard to hack the passwords or system with biometric technology. Organizations like banks should begin considering to adapt the biometric technology in improving the issues of authentication of a customer. In our case study, HDFC bank had a hand time balancing the convenience levels of customers while improving the online banking security.
Tesla model S was hacked by a Chinese security research group (Keen Security) who posted the entire hack and how they did it on YouTube. The group was able to take over the controls of the cars computer, door locks, side mirrors during auto pilot mode. Tesla has provided patches for the security flaw.
This is a huge security flaw for Tesla but glad the good guys were able to identify the issue before the bad guys found it. Glad to see Tesla pro-active with security and technology.
“HACKING, CRYPTOGRAPHY, AND THE COUNTDOWN TO QUANTUM COMPUTING”
The article I chose is about the threat of quantum computing to current encryption methods. At the moment, strong encryption is one of the best cyber security tools available, and most available computing power are nota able to break strong encryption. Computers attempt to break encryption by trying one combination after another in a method known as brute force until successful. This method can be successful for weaker encryption, but the stronger the encryption the harder it becomes for computers. Stronger encryption means longer passwords or possibilities for a computer to guess, and it can only guess one answer at a time. Most strong encryption standards are out of reach for current computers, but not for quantum computers.
Quantum computers operate differently than current computers. Today, computers process through 0 or 1. known as bits. Instead of bits, quantum computers store information as quits, which can be either or both at once. Quantum mechanics allows for superposition, which allows for objects to exist in multiple states and/or be in different places simultaneously. Superposition is the primary threat that quantum computing posses to encryption. Unlike a traditional computer which must try combinations sequentially, a quantum computer can try many different combinations simultaneously, exponentially speeding up the process. With more advancement in quantum computing, current encryption methods might become useless with quantum computing.
I think that Tesla was the first car manufacturer to deliver software updates remotely. While convent, can make the car vulnerable to cyber threats. On the other hand, it allows Telsa to push out security updates very quickly as opposed to having to do a traditional recall. While there are always going to be cyber security issues with cars, and Tesla is no exception, they have seemed to take the issue very seriously, but time will tell.
Another reminder of how inadaquete cyber security is for healthcare organizations. Hard to believe that anyone is still using pagers. and not to mention for an organization that has a lot of sensitive data.
This hack isn’t that worrying I believe since other methods of getting into a car are easier. If you are parking in public, if you lock the door as you leave the car then it doesn’t matter if they sniff the signal when you wirelessly unlock the car. Since they can’t start the car there isn’t much they can do besides take items from it. Lockpicks can pick most commercial locks out there as is. Smashing the windows is another way into the car if you have left it. A pickpocket would take your keyfob as you walk away from the car.
This is interesting. This just reminds me how crazy security will have to be if they release the self-driving cars. Self-driving cars are zero room for error. A great/expensive product like a Tesla makes it seems like this may never happen. I am curious to how well the patches will fix the security flaws with Tesla. I wonder what the hacker will be able to do to the movement of the actual car rather than just steal information and mess with the stereo and such.
The most important takeaway for me is the learning how to code in SQL. As I have found out, SQL is used everywhere and by putting that on my resume, I can stand out from the crowd. I would explain to a future employer that I am proficient in writing SQL code and can do basic functions such as selecting specific data from a database as well and…[Read more]
One of my favorite news sites is Nate Silver’s fivethirtyeight.com. They make visualizations on everything from sports, to politics, to when most people arrive at a party. These visualizations are insightful ways to view large amounts of data in neat graphs.
“Is Your Idea Taken?”
This is infographic is relatively comprehensive and is ripe with relevant information. What it does is it notes everyday activities on the right side, and popular apps (Uber, Tinder, AirBnb, Birchbox) and it visualizes if there is a company that combines the two.…[Read more]
I am back from a very nice vacation. I hope you are all jealous. Here are information and assignments to help you prepare for the upcoming Business Skills for IT Auditors session onSaturday, […]
If you were working for a financial services company and you were trying to find out who owns a certain stock, you could create a table that held customer information and a table that held stock information.Since many customers can own one or many stocks and many stocks can be bought by one or many customers, there would be a table in between…[Read more]
I think the hardest part of creating an ERD is determining cardinality. I feel like the descriptions aren’t detailed enough and leaves too much up to matter of opinion. Some cardinality can be different depending on how literally you read the description. How I deal with this is I try and put myself in the situation and imagine all the…[Read more]
For my final project in Data Science I used data from the Federal Election Commission (FEC) to come to conclusions about the effect of Dark Money in the 2012 Presidential and Congressional elections. I downloaded data that outlined all individual contributions as well as contributions coming from PAC’s and aggregated it into a working model on…[Read more]
Welcome to the Spring Semester of MIS 5287.001 Business Skills for the IT Auditor. Along with the many of you returning from the fall, we are happy that several new students are joining us. Each session is self […]