(Published in "Communications Today" magazine - Nov 2011 issue)
| "Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software." Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance
With growing penetration of mobile computing (tablets/mobile phones) and increasing proliferation of Internet access across India, financial services companies are leveraging the online mode of business. However, online transactions are prone to various security threats. Organized crime is targeting this lucrative avenue to make a fast buck.
Application security is one of the most neglected areas, which results in various vulnerabilities, and hackers take advantage of the unprotected websites and transaction portals to introduce malware to unsuspecting users. The unsuspecting users give away their confidential information and fall prey to fraud.
More and more users now access Internet through wireless networks, freely available at Wi-Fi hotspots in airports and cafes, which are unencrypted and unprotected. These networks are highly susceptible to threats like sniffing and hacking.
Enterprises are under growing pressure to allow BYOD, i.e., bring your own device. This means that employees are allowed to use their personal laptops/tablets to connect to the enterprise network and work on it. While this may help reduce costs to a certain extent, the number of security issues rise manifold.
Most websites now have SSL encryption between the client's web browser and server. This makes it difficult for the perimeter security products such as content filtering, anti-malware to scan the encrypted data and payload exchanged between the endpoint and server. Hackers use SSL as one of the ways to mask malware like viruses, Trojans, and other exploits and target corporate networks. Organisations cannot block SSL encrypted traffic because most business-critical websites use it.
SSL encrypted traffic can also be misused to leak sensitive data through encrypted email and filesharing sites. Access to social networking sites also poses risks to the networks and can be exploited as a channel for data leakage.
Attacks like DNS poisoning and click jacking direct users to malicious websites which look genuine and entice users to part with their credentials, passwords, and other confidential information.
Solutions Implemented By Financial Services
Organisations are deploying sophisticated tools to minimize threats to the network security. Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software. Anti-phishing software and toolbars are now being used to warn end-users about malicious and spoofed sites.
In addition to network firewalls, organisations are deploying web application firewalls to protect their websites and portals. Intrusion detection and prevention systems are now the minimum requirement to protect the networks. Apart from these, content filtering tools are also being implemented to allow selective access to Internet content. Wireless networks are being encrypted and sandboxing virtual terminals are implemented for secure access through personal devices.
Data leakage prevention (DLP) suites are being implemented by many organisations. This is implemented with a defence-in-depth architecture. The DLP suite includes endpoint agents, network - email, Internet gateways, and servers. Some of the DLP software and perimeter security products now allow SSL visibility and control. These minimize the risk of data leakage or malware creeping in through encrypted traffic.
To protect customers from fraudulent transactions and attacks, most financial services companies now use two factor authentication, one-time passwords, and virtual keyboards for their online transactions.
While financial services companies are trying to implement various security measures to minimize the risk, criminals seem to be one step ahead and manage to find and exploit new loopholes or vulnerabilities to defraud the financial services companies and their customers.
|
No comments:
Post a Comment