An Investigation of Risk Management Practices in Electronic Banking

Question: Discuss about An Investigation of Risk Management Practices in Electronic Banking? Answer: Identification and evaluation of the IT security risk Security threats to the IT structure can be regarded as a champion among those benefits that are generally traded off the most as revealed by the Report on 2014 Verizon Data Breach. The inspiration driving why the main focus is put on the databases as regularly as would be prudent is entirely clear: they fill in as the center of any affiliation that is able to uphold the reports from the clients and, what's more, other mystery information on business (Aljawarneh, 2011). Most important security risk in the operation of Auto Spares and Accessories Limited (ASA) Phishing: This is an exceptionally well known method for accessing the classified data of the true blue client. Regularly this strategy is received by the unapproved client. In the vast majority of the cases, the fraudster joins a connection of hyperlink with the email and after that, it is sent to the authentic client (Yu et al. 2011). The minute client taps on the hyperlink or opens the connection considering it to be verifying malware gets infused in the framework. Next time when the client would include in the online exchange, the malware would begin taking the private and secret information and data. Excessive and Unused Privileges: At the point when some individual is surrendered database preferences that outdo the needs of their occupation work, these focal points can be abused. For the test, a worker of the bank whose occupation necessitates the authority to alter essentially contact data of the record holder may mishandle unnecessary database preferences and augment the record correspondence of an accomplice's record (Imperva, 2015). Further, when some individual alteration parts within an alliance or spurns it in light of current circumstances, reliable his or her path rights to sensitive information don't change. Privilege Abuse: Customers might mistreat authentic database advantages for the purposes that are generally unapproved. Consider an inward restorative administration's application used for observing solitary records of the patient using an interface that is the custom web (Baracaldo and Joshi, 2013). The web application conventionally limits customers for watching the social protection history of an individual tolerant various patient records could be found in the meantime, and electronic copies are not allowed. Malware: Computerized gangsters, developers bolstered by state, and the spies make the use of consolidating in order to cut edge level of diverse ambush systems, for instance, embedding the malware with the additional phishing messages. With the help of this method, they get the chance to be prepared to assault the vulnerable data of the affiliations (Pilling, 2013). Along these lines, the honest to goodness customers transform into the certain setback of these social affairs of software engineers as they frequently stay unmindful of such activities. Exposure of Storage Media: Support stockpiling media is routinely and absolutely unshielded from strike. Accordingly, different security breaks might have integrated the burglary of tapes and circles of database support. In addition, powerlessness to survey and sieve out the activities of executives having low-level right to use to fragile information can place the data at risk (D'Agostino and Wilshusen, 2011). Taking appropriate measures for safeguarding fortification copies of fragile data and filter out the most astoundingly extraordinary customers is a data best practice of security, and additionally instructed by multiple regulations. Use of Disposed and the Databases Wrongly Configured: It is elementary to locate the unprotected and unmodified databases, or to discern databases that yet have some of the recordings for sure and parameters for setup. Aggressors have the knowledge of the means to shove these susceptibilities to dispatch strikes against the affiliation (Yu, Kim and Unland, 2011). Sadly, affiliations routinely struggle to keep on centered of maintain the database setups despite the availability of the patches. Average issues join high mounting and workloads abundances for the relevant database heads, mind boggling and dull needs for examining the patches, and the test of finding a bolster window to cut down and make a try at what is consistently named a business-essential system (Durbin, 2011). Sensitive Data managed improperly: Various associations fight to carry on an exact load of their related databases and the essential data things contained within them. Tricky data in these databases will encounter the perils provided the needful controls and assents are not completed. Denial of Service: This is regarded as an assault exceptionally broad in nature in which the true blue clients are unable to obtain the information within the utilizations of system (Kiltz, 2011). Few of the procedures arrive to execute such a situation. An extremely basic strategies is to redevelop the assets recognized with the main server by throwing enormous number of questions or with a little amount of inquiries that are all around made and proficient to devour the assets of the framework in an unbalanced way (Pilling, 2013). As an unavoidable result, in either of the cases the primary servers begin starving and get to be inert and even crash additionally now and again. Controlled Proficiency of Education and Security: Within the security regulations are not becoming according to the data improvement and controls, keep up approaches, or synchronize the frames of scene response. As revealed by a report, 30 percent of burst scenes of data, the key hidden driver was designated the "human component" toward the end of the day, an insensitive delegate or contractual work. Multiple affiliations generally are not very much equipped to entail a security break (D'Agostino and Wilshusen, 2011). Routinely this is an outcome of the nonattendance of eligibility required to execute security controls, keep up the approaches, or organize the scene response frames. Mitigation strategy of these risks ASA can adopt Six different classes of arrangements can be arranged in that give the patches and settles against the security dangers specified above and along these lines gives the commendable best practices. Mitigating for DoS: Escalated Understanding of the vulnerabilities that can risk the databases through data implantation is to an awesome degree required. Malware might try to misuse the database exposures that are hidden, and thus making them an accommodating target. The Denial of Service (DoS) ambush to the application-layer can be engaged by the powerless guidelines of check by permitting the passage to a particular database without necessitating a mystery key (Kiltz, 2011). Mitigation of Risks from wrongly configured databases: Scoring of the perils is fundamentally performed taking into account the severity of the susceptibilities as well as on the affectability of the information (Turiel, 2011). The standards for the Severity are to be subject to recognized frameworks like the Common Vulnerability Scoring System (CVSS). Alternate points of view like the threat, organization, and investigation of the vulnerabilities could be sorted out by the peril score. Under this situation, more noteworthy scores of peril would compare to the infusion of the data (Mansfield-Devine, 2011). Mitigation of the Vulnerabilities: On the off chance that any weakness is discovered and the database merchant have not yet discharged a scrap, a reply for the virtual fixing has to be utilized (Lesk, 2013). These fundamental patches would keep on conflicting the activities to make use of the receptiveness without the necessity of real fixes or adjustment to the current setup of the server until and otherwise they get crushed (D'Agostino and Wilshusen, 2011). Mitigation from malware and virus attacks: The hosts contaminated by the malware could be recognized in order for keeping these devices from obtaining the doorway to the helpless data in the databases as well as to the unstructured information stores too (Hipgrave, 2013). Recognize and Categorize Susceptible Data: The articles, columns and the qualities of the databases can be examined to pinpoint the powerless information (Turiel, 2011). The arrangements of information order could be utilized that are familiar with different sorts of information like Visas, mail addresses, and the character numbers adequate all across the country, and which the custom information sorts can be included with also (Baracaldo et al. 2013). Mitigation Solution for external data: The long haul procedures of information archival could be robotized. Arrangements that could be intended for chronicling information intermittently to the frameworks for outside mass stockpiling ought to be utilized (Imperva, 2015). The decision for the discretionary pressure, encryption and sign before the archival ought to likewise arrive. Mitigation Solution for Phishing: The defenseless information ought to be encoded the whole way across the situations of the database non-uniform in nature (Genera, 2015). This empowers one to defend both generation and recuperation documents of databases. Thereafter, the action and get to control to the vulnerable information from the clients fit to get to the databases at the OS and levels of capacity must be inspected. Mitigation from excessive and unprivileged access: The staff of data security is to be contracted who are sufficiently gifted in IT Security and have satisfactory involvement in the usage, organization, and observing of security answers for ensures against an expanded arrangement of dangers both inside and outer (Baracaldo and Joshi, 2013). The instruction and preparing continuous in nature are additionally essential for creating learning. Risk Assessment Procedures In the previous task module, the identification and evaluation of the potential risks that lay underneath the IT operations of Auto Spares and Accessories Limited (ASA). The next phase after the successful identification of the risk is that the ASA must develop an effective and efficient method to handle the risks. After analyzing the risks in the dedicated web based architecture of ASA, the risk needs to be treated and monitored. Treating and monitoring the risks to control the harms known as risk assessment process. Managing the risk in ASA follows different procedures like developing a way to spot the risk from happening or accepting the risk by assigning some tasks to other entities and neutralizing it (McNeil, Frey, and Embrechts, 2015). In ASA, the potential risks are identified and then treated to minimize them. Evaluating the data protection procedure in the ASA Treating and evaluating Phishing Activity in ASA: Phishing in ASA is treated as a vital threat to the customers as well as the company for the transaction. Phishing attacks are anonymous and steal the users banking ID and password without their knowledge. Since APA is considering the to make their online purchasing of products totally online based; the security and protestation against simple phishing or the more advanced spear phishing are necessary. In ASA, phishing activity can be controlled by guarding their single computer connected to the network from spam messages and ensuring that no personal financial data is never being communicated through emails or insecure hyperlink websites (Hong, 2012). The Security system of ASA always needs to update with firewalls and antivirus to protect the system from new and advanced attacks. Regular monitoring for phishing attacks is needed. Treating Excessive and Unused Privileges: ALL the data in ASA is backed up in a single database. It is highly recommended to secure the database from any risk. The excessive usage of the database can be controlled by revising the security control of the database and the access policies (Akanji, and Elusoji, 2014). Since the database is also accessible to the customers to search through different products, the integrity and isolation of the database must be ensured. The segmentation between the various sub-databases of the single database architecture needs to be protected by the firewall. Regular update and checking of any unusual activity in the database will help in preventing the risks involved. Privilege Abuse: According to ACFE (Association of Certified Fraud Examiners), a typical corporation loses about 5% of their annual revenue every year because of privileged access to their employees (Thakkar, 2015). In order to stop the privilege abuse in ASA, the number of privileged accounts is ASA database needs to be reduced. The ASA need to train their employees efficiently about the different attacks and the practice of logging out of their account. PUMA (Privileged User Monitoring and Access) should be installed in the ASA IT system to monitor every activity of the user (Ramstrom, 2013). Treating Malware: All the data and information about the different product in ASA warehouse is stored in the single database architecture connected to a single computer. The malware poses a constant threat to the system that effect in identity risk, loss of information and security (Zhang-Kennedy, Chiasson, and Biddle, 2014). To protect against malware attack, the computer need to protect with robust security management system with software with regular updates and monitoring. A secure ISP (Internet service provider) must be entrusted with for online transaction. Security in the telecommunication system of ASA is a must because all the conformation and the queries are dealt through the telephone. Treating Storage Media Exposure: The magnetic tapes used to store the data from the stock database must be utilized in a clean environment and updated regularly. Storing the magnetic disk in protected area in will protect them from data loss and in the case of thefts (Galliers, and Leidner, 2014). In ASA, a single computer is connected to the network. It must be ensured that no external device like portable hard disks and pen-drive are connected to the computer. Regular and routine check on the storage media will prevent the risks of information loss. Treating the Database Faulty Configurations: The database that is initially configured in ASA system has a glitch in it. The database duplicated each and every record by itself every time the database is updated. This prevents redundancy in the database. The database design and operations need to configure correctly to stop anomalies in the database (Power and Kramer, 2015). Regular monitoring and checking need to perform in the backup databases as well to check for any data loss and faulty configuration resulting in defective results. Treating the Denial of Service Attack: In ASA, the Dos attack in the system will not effect in losing the information. The Dos attack in the system will prevent the authorized users from accessing the network. This will result in a great loss in terms of time and revenue. In ASA, since a single computer is connected to the dedicated system, the administration needs to know the complete detail of the database as well as system configuration in case of DoS attacks. Only the monitoring the network will not prevent the DoS attack (Tan et al., 2014). To prevent DoS attack, a strong firewall must be installed on the system that checks through every level in the architecture and report to the administration whenever a single doubt arises. All the users of the ASA online dedicated services must completely now about the tasks they are doing and their configuration. In the case of DDoS (Dedicated Denial of Services) attack, when the flooding attack comes from different IP addresses, it becomes difficult to block the every single IPs. In the case of emergency, ASA must develop an Emergency Operating Procedure (EOP) to deal with the situation (Bevilacqua, Ciarapica, and Paciarotti, 2012). Regulation and Recommendation applicable to ASA According to Legislation.gov.uk (2016), the Data Protection Act 1998, revised and brought to action from 2nd January 2016, ASA is obliged to follow the strict rules as applies to the Data Protection Act (Adelola, Dawson and Batmaz, 2014). Concerning the current UK legislation act, the ASA must lawfully use the data and only for the purpose of online transaction made by the customers. The Data Protection Act also states that ASA must not keep the personal information provided by the customer must not be held any longer till necessary. It is the authority of ASA to keep the data and information safe and to ensure the information provided by the customer for the transaction and buying of Auto spare parts must not be transferred without sufficient protection and security outside the Economic area of Europe. The Computer Misuse Act 1990 (Legislation.gov.uk, 2016) secures the computer data and programs from unauthorized access. The Act also defines the act of accessing the computer with th e intention of doing a crime is also referred as a crime. To abide by the Data Protection Act, ASA must follow some rules during the transfer of order and personal data. The personal data if recorded or is processed while the transfer is caught by the Act. To protect the data of ASA, the personal information must be regularly updated and eradicate the unnecessary data from the database. The IP address while receiving and sending orders must be tracked to verify the source of data. Every time, any personal data is uploaded to the system must be adequately stored, verified and filed. A powerful, robust security management system and firewall must be installed by ASA to protect the information provided by online customers. To protect the Computer Misuse Act, the authentication, and verification all the user of the computer is essential in ASA (Fafinski, 2013). Physical Security Issue in ASA Apart from the digital data and risks in information management, APA is prone to the physical security issue. The physical component of ASA is a single PC connected to a secure and dedicated web service that is connected to a backup database of the information. ASA also uses a telephone for clarification of any doubts by the customers and has two identical printers used for printing the invoices and receipts. In most of the cases, it is seen the data remains vulnerable due to irresponsibility and ignorance of the employees. The ASA employee must be verified and authenticated every time they log into the computer. Training of the employees is required about strong password protection and related risks involving with them. Access to the ASA warehouse must be controlled with the identity authentication techniques like the biometric scanner, smart cards or magnetic cards. Efficient and effective sensors and alarm system ensuring informing any risks (Whitman, and Mattord, 2013). By instal ling a fire control system in ASA will prevent the loss of data and revenue in case of emergency. A good communication system between the employees of ASA must be developed to inform the ASA to prevent any theft and fraud. Implementation of Security Policy in ASA The ASA online system of selling its goods is venerable to different risks and threats. Protecting and monitoring the database from data losses and malicious threats is one part of the security. For the overall protection of ASA in every aspect, a strong security system needs to be designed and implemented (Fernandez-Buglioni, 2013). The IT policy will be able to authenticate the access of information, application of the personal information available in ASA database, modify the existing data, removing unnecessary data, and even obstructing the access of data by unauthenticated users. The designs of the security system of ASA follows a particular procedure- Investigation of the security issues and risks in the ASA and identify the objective and mission of the organization. The logical design phase provides a model to bring all the solutions regarding security in one place. In the next stage of physical design, the necessary technologies and techniques are gathered to implement the design in the implementation phase. After the successful implementation of the process the areas o further enhancement of the security is focused. Figure1: Process of Design of the Security Policy (Source: Lincke, 2015, pp-128 ) Investigation: After the thorough investigation of the IT system in ASA, various vulnerable areas were identified. The back-up database used by the ASA automatically duplicates every entry in the system. The ASA system does not have any e-mail facility setup for customer queries and support. The two identical printers used are not solely for invoices. The ASA website is directly connected to the ASAs accessories stock database that makes it a vulnerable place for an attack. Initially, the database were controlled by a web hosting company but nowadays it is controlled by ASAs employee. The untrained employees pose a risk. The network of ASA is comprised of only one PC, and there is no back facility for DoS or any other severe condition. The security system of ASA both Physical and Software are weak and does not have a potential security (Abdou, English and Adewunmi, 2014). In order to store the customers personal information including banking details and addresses within the ASA by st rictly following the Government rules and regulation, a strong security system is evident. Analysis: The investigation process has thrown light into the loopholes present in the current security system of ASA. The analysis of the given condition showed that ASA is endangered against the human errors or the mistakes committed by the employees of ASA. The ASA has no intention of increasing the number of workers that has technical knowledge. There is a great an area of competitors trying to access the system and collect data. This put the ASA system vulnerable to threats. For not having any firewall or strong security ASA is under continuous attack of various malware. Having a DoS attack and hardware failure will prove to be disastrous since ASA has no backup or infrastructural support (Basile et al., 2013). The different types of equipment, including the backup database and the in formations, can be easily moved without any authorizations. Logical Design: The security system design for ASA must be effective and efficient. The security policy and the system designed can authenticate and authorize the user and every employee of ASA. The security system is designed keeping in mind the security policy of UK legislations. The logical design made for ASA also controls the physical security the entire network element as well as the auto spare parts in the warehouse. The design also covers the acquisition of information system and the operations management process. Physical Design: The physical design of the security system of ASA includes the authentication and authorization of the employees at every level in ASA. The physical security needs to increase by installing CCTV cameras and identification of the employees by biometric scanner. This will decrease the chance of misplacement of assets within ASA and minimize the chance of theft (Baker, and Benny, 2012). The number of computers in the network needs to increase for smooth operations, time utilization and handle large traffic online. Implementation: Studying the logical and physical Design for the security system, an advanced more secure system was installed in ASA. The warehouse of ASA is secured by the CCTVs by observing every activity in real time. The systems and software of the network are updated, and the firewall is activated. The antivirus software is also upgraded to meet the security need. The architecture of the database is redesigned to prevent the duplicity of the users information. The connection of the website directly to the stock database is changed to prevent the malware attack. Since ASA would not be hiring more employees, the training program of the existing employee is initiated. Maintenance: The security system of ASA is implemented successfully, and full system is under complete observation for further enhancement of the system. Access to ASAs stock The IT department of ASA needs to divert their focus on the security including the authentication and authorization of their employee. The security access to the ASAs stocks includes the passwords verification. The strong formulation of a password is required so avoid the amateur guessing. A strong password can be formed by combining numeric and alphabetical values and, at least, one special symbol. In a case of password loss, access can be recovered email verification using OTP. The strength of the password can be determined by various softwares that include data encryption. Furthermore, complex password entropy algorithm can be implemented while auto-generation of a password. Contingency Planning for Human Resources In the training program, the employees will be educated about the different risks involved in the system and case of emergency how to deal with them. In the case of absence of the staff in any situation, a backup system needs to be initiated also been developed. In the case of system failure, a contract has been made with the web-hosting company to look after the stocks of the website temporarily. Gathering and Record of Information A CCTV (Closed Circuit Television) need to be installed in ASA to look over every activity in the warehouse. The database also records the login and logout details of every verified user. The login verification will be done with fingerprint verification in the warehouses. Furthermore, the authentication and identification of user in ASAs system will be accomplished with verified userid and password. Scheduling Audits The database of the website will be regularly analyzed and detect for any malfunctions. ASA has schedule different audits every month to ensure the standard procedure been adhere to. References Abdou, H., English, J. and Adewunmi, P., (2014). An Investigation Of Risk Management Practices In Electronic Banking: the case of the UK banks.Banks and Bank Systems,9(3). Adelola, T., Dawson, R. and Batmaz, F., (2014), December. Privacy and data protection in E-commerce: The effectiveness of a government regulation approach in developing nations, using Nigeria as a case. InInternet Technology and Secured Transactions (ICITST), 2014 9th International Conference for(pp. 234-239). IEEE. Akanji, A.W. and Elusoji, A.A., (2014). A Comparative Study of Attacks on Databases and Database Security Techniques. Aljawarneh, S. (2011). A web engineering security methodology for e-learning systems.Network Security, 2011(3), pp.12-15. Baker, P.R. and Benny, D.J., (2012).The complete guide to physical security. CRC Press. Baracaldo, N. and Joshi, J. (2013). An adaptive risk management and access control framework to mitigate insider threats.Computers Security, 39, pp.237-254. Basile, C., Canavese, D., Lioy, A. and Pitscheider, C., (2013), February. Improved reachability analysis for security management. InParallel, Distributed and Network-Based Processing (PDP), 2013 21st Euromicro International Conference on(pp. 534-541). IEEE. Bevilacqua, M., Ciarapica, F.E. and Paciarotti, C., (2012). Business process reengineering of emergency management procedures: a case study.Safety science,50(5), pp.1368-1376. D'Agostino, D. and Wilshusen, G. (2011).DOD faces challenges in its cyber activities. Washington, D.C.: U.S. Govt. Accountability Office. Durbin, S. (2011). Information security without boundaries.Network Security, 2011(2), pp.4-8. Fafinski, S., (2013).Computer Misuse: Response, regulation and the law. Routledge. Fernandez-Buglioni, E., (2013).Security patterns in practice: designing secure architectures using software patterns. John Wiley Sons. Galliers, R.D. and Leidner, D.E., (2014).Strategic information management: challenges and strategies in managing information systems. Routledge. Hipgrave, S. (2013). Smarter fraud investigations with big data analytics.Network Security, 2013(12), pp.7-9. Hong, J., (2012). The state of phishing attacks.Communications of the ACM,55(1), pp.74-81. Imperva, (2015).Cyber Security Leader | Imperva, Inc.. [online] Available at: https://www.imperva.com [Accessed 26 Dec. 2015]. Kiltz, L. (2011). The Challenges of Developing a Homeland Security Discipline to Meet Future Threats to the Homeland.Journal of Homeland Security and Emergency Management, 8(2). Legislation.gov.uk, (2016).Computer Misuse Act 1990. [online] Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents [Accessed 9 Jan. 2016]. Legislation.gov.uk, (2016).Data Protection Act 1998. [online] Available at: https://www.legislation.gov.uk/ukpga/1998/29/contents [Accessed 9 Jan. 2016]. Lesk, A. (2013). Comment on Comparing proteins by their internal dynamics: Exploring structurefunction relationships beyond static structural alignments by C. Micheletti.Physics of Life Reviews, 10(1), pp.33-34. Lincke, S., (2015). Designing Information Security. InSecurity Planning(pp. 115-133). Springer International Publishing. Mansfield-Devine, S. (2011). DDoS: threats and mitigation.Network Security, 2011(12), pp.5-12. McNeil, A.J., Frey, R. and Embrechts, P., (2015).Quantitative Risk Management: Concepts, Techniques and Tools: Concepts, Techniques and Tools. Princeton university press. Pilling, R. (2013). Global threats, cyber-security nightmares and how to protect against them.Computer Fraud Security, 2013(9), pp.14-18. Power, M.A. and Kramer, R., Symbion Systems, Inc., (2015).Process control method with integrated database for electronically documenting the configuration, modification and operation of a controlled process. U.S. Patent 8,996,449. Ramstrom, C.J., Computer Associates Think, Inc., (2013).Privileged activity monitoring through privileged user password management and log management systems. U.S. Patent 8,516,107. Tan, Z., Jamdagni, A., He, X., Nanda, P. and Liu, R.P., (2014). A system for denial-of-service attack detection based on multivariate correlation analysis.Parallel and Distributed Systems, IEEE Transactions on,25(2), pp.447-456. Thakkar, J., (2015). DATABASE SECURITY ENCRYPTION: A SURVEY STUDY.Management,1(4), pp.379-383. Turiel, A. (2011). IPv6: new technology, new threats.Network Security, 2011(8), pp.13-15. Whitman, M. and Mattord, H., (2013).Management of information security. Cengage Learning. Yu, J., Kim, M. and Unland, R. (2011).Database systems for advanced applications. Berlin: Springer. Zhang-Kennedy, L., Chiasson, S. and Biddle, R., (2014). Stop clicking on update later: Persuading users they need up-to-date antivirus protection. InPersuasive Technology(pp. 302-322). Springer International Publishing.