Reduction of risk of unauthorized access to information resources of credit institution
Participation of information systems in information management grows. We submit the overview devoted to risk analysis of unauthorized access to the IC of bank and a role of the systems of centralized operation by credentials.
Content |
Reduction of risk of unauthorized access to information resources of credit institution using access control and credentials
Introduction
Activity of modern bank in many respects comes down to management of financial information: the movement of money and obligations on accounts, calculations between credit institutions, trade on currency and other financial markets.
This financial information is created, stored, changes and is controlled with more and more accruing participation of information systems.
However new technologies, at all their indisputable usefulness, bring in banking activity and new risks. And in some cases there is a transformation of old risks in new, sometimes more large-scale. Such new risk is unauthorized access (NSD) to information systems and information [1] the belonging credit institution.
Our research is devoted to the analysis of this risk and a role of the systems of centralized operation by credentials and access [2] to its minimization.
Unauthorized access and unauthorized actions
The main part of risks, when using information systems, for credit institution arises owing to unauthorized actions with financial information of bank, these actions are first of all a consequence of receiving by the person performing such operations of unauthorized access to information resources and systems.
Unauthorized actions most often are carrying out finished bank [3] and also plunder of information or its change in direction necessary to the malefactor.
Though it is, first of all, about the risks connected with deliberate actions you should not lose sight also of inadvertent errors in work of employees. Such actions can also lead to unauthorized change of information and consequently to cause damage [4] credit institution.
Thus, it is necessary to construct an information security system of bank ([5]) so that to minimize a possibility of unauthorized access thereby to reduce the probability of unauthorized actions both from malefactors and from the staff of the organization making actions, inadvertent, dangerous to information security.
The question "How to Reduce Risk of Unauthorized Access?" is key in this research. For the answer to it, we first, will consider standard situations in which there is an unauthorized access, and protective measures [6] for its suppression. After that, we will describe the existing tools the implementing specified protective measures. Further the detailed analysis of a role of each tool in risk reduction and the mechanism of its work will follow.
| Scenario of threat | Protective measure |
| The person uses for unauthorized access and actions of the right which it should not have.
For example, the employee is already dismissed, but his password still works. Or the employee is transferred to other department, but it still had rights from a former workplace. | Increase in degree of compliance between what it is authorized to competent user to do in an information system of bank and what it really can do there at present. The mismatch between the first and second can arise, both in case of change of a position of the employee, and in case of changes in the infosfera of bank:
For achievement of this compliance the IT division of bank should have tools allowing to change the rights of employees quickly and at the same time is controlled. Performance improvement of this process important also on the other hand: it is extremely desirable to minimize the number of the IT administrators having the rights to change the rights of employees. All this concerns also the authenticators issued to the user as for the first time, and instead of compromised. Also simplification of these procedures allows to make issue of the rights not only to IT specialists, and, for example, the employee from personnel department or department of security that, in turn, will even more increase the compliance specified in this point. |
| The person uses the these rights for unauthorized access and actions. | More granular control of user rights. Including introduction of the new rights which are initially not provided by an information system (the application, etc.).
Expanded audit and possibility of a fast withdrawal of the rights. So minimization of damage due to fast clarification and suppression of unauthorized actions. |
| Unauthorized action already happened or lasts. | Expanded audit and possibility of a fast withdrawal of the rights. So minimization of damage due to fast clarification and suppression of unauthorized actions. |
Role of the systems of centralized operation by access for users to information resources and their credentials
For implementation of the specified measures of counteraction to unauthorized access and actions in an arsenal of the systems of the class IAM the following tools exist and are used:
- The modern multifactor authentication of the user considerably reducing the probability of access to an information system of the unauthorized person and also complicating transfer of authenticators to other persons.
- The system on user account control [7] simplifying and accelerating issue and a withdrawal of the rights of the user, increasing control over them and also due to bigger automation allowing without prejudice to efficiency more granular control of the rights of the user.
- Uniform access point [8] in all information systems to which the user consolidating control of actions of the user, simplifying procedures of authentication for the user and also in general reducing a possibility of a compromise of authenticators of the user is connected.
- Introduction of the new rights which are initially not provided by an information system. For example, when the transaction amount exceeds a certain threshold value, the user needs to undergo repeated or additional authentication. In other words, two users can have the identical right to create payment orders, but only one of them will be able to create payment orders more some amount.
- The expanded audit increasing traceability of unauthorized actions as in real time, and a post factum. It is reached due to centralization of control of actions of the user and also more detailed description of these actions (up to a name of the IT administrator who issued these rights to this employee). So not only audit of access (use of the rights), but also audit of issue and change of the rights is performed.
Further we will consider these tools in more detail, separately noting influence of each tool and practice on decrease in operational risks in activity of financial institution.
[9]
For the proof of the personality the user uses one or several authenticators. The most known authenticator is a password. Also, it can be the access card, a fingerprint and many other things. In total in the industry more than twenty types of authenticators isolzutsya actively.
One of important elements of gain of an authentication system is the so-called multifactor authentication allowing to reduce considerably the probability of passing of authentication by the person who is not this user.
Multifactor authentication is simultaneous use of authenticators from different, groups of authenticators:
- what the user knows (for example, the password, a PIN code)
- that what the user owns (for example, the bank card, the access card)
- what is neotemlemy characteristic of the user (for example, a fingerprint)
- that where the user is (using, for example, data from Skudsistem [10])
| Approaches to authentication | How does it reduce risks? |
| Multifactor authentication.
For example, password and map, or password and fingerprint. | Increases complexity of passing of the procedure of authentication as it is necessary to carry out an attack on diverse authentication systems for the malefactor. |
| Reduction of quantity of authenticators which the user needs to know/have.
It is reached by application of SSO. It should be taken into account also option of introduction of the uniform access card, both for the ACS, and for access to a computer system. | Reduces risk of a compromise of authenticators.
For example, the user can remember one password, or monitor safety of one access card. If there is a lot of passwords, then the user will be simply forced them to write somewhere, thereby increasing the probability of their compromise. |
| Simplification of the procedure of authentication for the user.
It is reached using SSO. Also, for example, it is simpler to put a finger to the scanner, than to enter the password. Besides, the password should be remembered still, and to store the access card. | Simplifies following to security policies for the user. Reduces the probability of their violation. |
| A fast withdrawal and rerelease of authenticators in case of a compromise. | Fast suppression of unauthorized access. |
Management system for accounts (IdM)
The employee of the bank can have access at the same time to several information systems of bank (applications, databases, websites, etc.). IdM allows using connectors to these systems automatically to create and change accounts in them from the central console and also to change the user's rights in them. It minimizes operational risks as follows:
| What does IdM? | How does it reduce risks? |
| Acceleration of creation, change and removal of user accounts and also changes of the rights of the user. | Increase in degree of compliance between the real rights of the user and those which he should have. |
| Simplification of creation, change and removal of user accounts and also changes of the rights of the user. | Possibility of more coincidence tuning of the rights of the user.
Reduction of number of the IT employees having the rights to change user rights. Opportunity to the employees, for example, from personnel department or department of security, not being IT specialists to create accounts, to change user rights and also to control this process. |
| Centralization of creation, change and removal of user accounts and also changes of the rights of the user. | Increase in efficiency of control of accounts, user rights and their changes. |
| A fast withdrawal of the rights of the user up to removal of its account. | Fast suppression of unauthorized action. |
Uniform access point (SSO)
If IdM centralizes and automates managements of accounts and user rights, then SSO adds to it centralization of access for users to all information systems.
Thus access for users to applications passes not directly in the specific application, and through the agent of SSO. The user is authenticated once in the agent of SSO then the agent of SSO himself authenticates the user in necessary information systems. And the user knows only the authenticator in the agent of SSO (for example, the password), but does not know the passwords in specific information systems to which he gets access through the agent of SSO.
| What does SSO? | How does it reduce risks? |
| Access to any information system passes through the SSO server and is registered in its magazine.
Additional, authentication of critical actions of users in information systems. | Increases the level of control of actions of users, as in real time, and a post factum. |
| Centralization of issue, a response and rerelease in case of a compromise of authenticators. | Fast suppression of unauthorized access.
Fast rerelease of authenticators. |
| Authentication is carried out once. | It is rather safe to user to store one authenticator. For example, it is simpler to remember one password, than ten. So it reduces authenticator compromise probability. |
| Automatic, regular change of user passwords in direct systems. | Guarantees execution of regulations of information security regarding regular change of passwords. |
| Application of safe methods of enciphering of authentication information, integration with PKI | Provides security of the stored information. In case of use of PKI, access is guaranteed only to the owner of private key of the owner of data. |
| Standardization of the procedure of authentication. | Standardization of the procedure of authentication. A possibility of maintenance of uniform corporate policy in relation to authentication, for example, uniform requirements to complexity of the password, or introduction of the uniform access card.
The user gets used to the uniform standard procedure of authentication, and any deviations from it (for example, in case of attempt of a phishing from the malefactor) cause reasonable suspicions in the user. |
Expanded audit
Tools from an arsenal of IAM which we described above considerably expand possibilities of audit, both actions of the user, and changes of his [11]. It substantially simplifies control of respect for the principles of operational risk management and identification of factors of such risk regarding the organization of work of information systems of credit institutions.
In some cases, detailed journalizing of actions of users the IAM components can be used not only for the purposes of audit and prevention of possible information leaks, but also as evidential base when conducting investigations of the incidents connected with incidents in information security field.
| IAM tool | How does it expand audit? |
| A system on management of accounts (IdM). | Creation, change and removal of user accounts and also changes of the rights of the user, are registered in the uniform magazine.
Also in it is registered who and when performed creation, change and removal of accounts and also changed user rights. |
| Uniform access point (SSO). | Access to any information system passes through the SSO server and also is registered in the uniform magazine. |
| Authentication. | Integration into the ACS allows to register in the uniform magazine an additional factor – location of the employee. |
| IAM in general. | Existence of the central console and the uniform magazine allows employees, not being IT specialists, for example, from department of security, to quickly analyze the current situation. |
Conclusion
Apparently from detailed consideration of tools and the practician of IAM executed by us above, use of these tools and the practician, of which are key:
- multiple-factor and strict autentifikatsiiya of users,
- use of uniform access point to information systems,
- managements of credentials of users,
substantially reduce a possibility of unauthorized access and unauthorized actions when using information systems, thereby raise the overall level of information security of credit institution.
With respect thereto it is possible to draw a conclusion that:
- implementing tools and practicians of IAM, financial institution tries to obtain considerable reduction of risks of emergence of damage from incidents of information security [12];
- the IAM tools are an important part of the infrastructure ensuring information security of modern bank [13] [14] [15]
. The IAM tools listed by us in the overview supplement and strengthen each other, and application them in a complex brings the greatest positive effect. However, practice of implementation and operation of the similar systems showed that the way of step-by-step implementation is optimal. Also It should be noted that implementation of each stage of implementation of the IAM tools should be carried out having the developed strategy of actions, and one of the first tasks is reduction of sources of accounts of users of the used organizations to a minimum and audit of all existing accounts.
- It is prepared by specialists of Indid company
The used literature
"Recommendations about the organization of management of an operational risk in credit institutions" - Enclosure of the Bank of Russia of May 24, 2005 No. 76-T "About the organization of management of an operational risk in credit institutions".
Standard of the Bank of Russia of service station of BR IBBS-1.0-2010 "Information security support of the organizations of a banking system of the Russian Federation. General provisions".
Sound Practices for the Management and Supervision of Operational Risk. February 2003. Basel Committee on Banking Supervision.
Minimizing the Risk of Internal Fraud in Challenging Times. May 2009. Datamonitor.
Magic Quadrant for Enterprise Single Sign-On. September 2009. Gregg Kreizman. Gartner Research.
Identity Management Market Forecast 2007 To 2014. Andras Cser and Jonathan Penn. February 2008. Forrester research.
Enterprise Single Sign-On: The Fast Lane To Identity And Access Management. Andras Cser. November, 2010. Forrester research.
Notes
- ↑ the Data asset (in terms of service station of BR IBBS): Information with the details allowing to identify it; the having value for the organization of a banking system of the Russian Federation; being at the disposal of the organization of a banking system of the Russian Federation and provided on any material carrier in suitable for its processing, storage or transfer to a form.
- ↑ (IAM Identity and Access Management)
- ↑ by the operatsiyglavny purpose of the malefactor receiving control over data assets at the level business of processes is. Direct attack at the level of business processes, for example, by disclosure of confidential bank analytical information, is more effective for the malefactor and it is more dangerous to the owner, than the attack performed through the bottom levels, requiring specific experience, knowledge and resources (including temporary) and therefore less effective based on the ratio of "costs / the received result" (service station of BR IBBS, point 6.4)
- ↑ Damage: Loss of assets, damage (loss of properties) of assets and (or) infrastructures of the organization or other harm to assets and (or) infrastructure of the organization of a banking system of the Russian Federation which was caused implementation of threats of cybersecurity through vulnerabilities of cybersecurity. (Service station of BR IBBS, point 3.45.)
- ↑ Sibsistema of information security (in terms of service station of BR IBBS): Set of protective measures, protective equipment and processes of their operation, including resource and administrative (organizational) providing.
- ↑ Protective measure: Established practices, the procedure or the mechanism which are used for reduction of risk of violation of cybersecurity of the organization of a banking system of the Russian Federation. (Service station of BR IBBS, point 3.42.)
- ↑ (IdM Identity Management)
- ↑ (SSO Single Sign-On)
- ↑ Autentifikatsiyaautentifikation (in terms of service station of BR IBBS): Check of accessory to the subject of access of the identifier (confirmation of authenticity) shown them.
- ↑ of control and management of physical access
- ↑ pravdolzhna to be documentary defined and to be performed procedures of collecting and information storage about the actions of employees of the BS Russian Federation organization, events and parameters concerning functioning of protective measures. (Service station of BR IBBS, point 8.12.3.)
- ↑ the Incident of information security; a cybersecurity incident (in terms of service station of BR IBBS): The event specifying on the come true, undertaken or probable implementation of threat of cybersecurity. Threat of information security; threat of cybersecurity (in terms of service station of BR IBBS): Threat of violation of cybersecurity properties — availability, integrity or confidentiality of data assets of the organization of a banking system of the Russian Federation.
- ↑ as a part of the core banking system the built-in protective measures should be applied and also the BS Russian Federation organizations certified or allowed by the management for use of an information security product from NSD and NSD are recommended for use. (Service station of BR IBBS, point 7.4.2.)
- ↑ The BS Russian Federation organization should be documentary defined and approved by the management, be executed and controlled identification procedures, authentications, authorizations; access controls; control of integrity; registration of events and actions. (Service station of BR IBBS, point 7.4.3.)
- ↑ In the BS Russian Federation organization the protective measures aimed at providing protection against NSD and NSD, damage or violation of integrity of information necessary for registration, identifications, authentications and (or) authorizations of clients and employees of the BS Russian Federation organization should be applied. All attempts of NSD and NSD to such information should be registered. At dismissal or change of job responsibilities of the employees of the BS Russian Federation organization who had access to the specified information it is necessary to perform documentary procedures of the corresponding review of access rights. (Service station of BR IBBS, point 7.4.11.)
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |