CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Short Description on the Presenter
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Working Experience Served 11 years in Bangladesh Air Force and retired as Flight Lieutenant. Then I started working as a special tech faculty in New Horizon from 2001 (USA based), Bangladesh served as Head of IT, Opex and Sinha Group. Subsequently, as Manager- IT security, IT Operations, Senior Manager - Audit, IT and System Security in BRAC Bank and in many similar portfolios. I was one of the core team members for making and establishing IT driven business Policy, Process, Standard and Procedure. My proven project was BRAC Banks Data Center (Based on Tier-IV, industry standard), Beside, I was the Data Center Consultant for ICB Bank. I worked in Japan Bangladesh Group as Executive Director (Head of Information System & IS Security) IRIS JV (Tusuka Technotrade Limited) as Head of Operation (Nationwide) MRP & MRV (Machine Readable Passport & Machine Readable Visa). I am working as Special Technical Faculty, New Horizon Computed Learning Center (NHCLC, USA based) & Guest Faculty of BIBM (Bangladesh Institute of Bank Management) for conducting the courses/ Class related to Information System Audit, Security, Risk Management and Governance etc. Alongside, I am the Lead Auditor (representing RightTime), CCA (Controller of Certifying Authorities) Bangladesh under the Ministry of Science and Information & Communication Technology. Beside all above, I am looking after my firm RightTime Limited a total shop for Information System Solutions (www.righttime.org) Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Certification and Expertise I hold the first ever CGEIT (Certified in the Governance of Enterprise Information Technology, ISACA USA) certification in Bangladesh Completed my post graduation on Information System Security (Core Area- IS Audit, Cyber Security & Cyber Forensic, Information Security Management Standard, Business Continuity Planning & Disaster Recovery Planning) from West Bengal University of Technology, India. Besides, I have adequate exposure on Finacle Core Banking Application Software and IS Project Management (especially Data Center, Data Preservation Standard i.e. Data Warehouse & Data Mining Techniques and Tactics etc.). I have had exposure on IT Governance and Compliance in line with the Central Regulatory Bodies ISO/BS and Industry Standard Best Practices. I have fair knowledge on Alternative Delivery Channels i.e. Visa Credit Cards, VISA Debit Cards, ATM & POS Network, SMS Banking, Phone Banking and Internet Banking. I have the official Recognition on: CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Beside the above the Speaker has the adequate acumen on the below domain .. 1. Information Security 1. Quality management systems Management System (International Standard) 2. CDCP (Certified Data Center 2. ISO 9001:2008 preparatory Professional) consultation for achieving the certificate 3. Information System Audit 3. ISO 27001:2005 preparatory 4. Core Banking System and the consultation for achieving the Future certificate 5. IT Operations 4. Cyber Security and Cyber Forensic 6. Business Continuity and 5. CDCS (Certified Data Center Disaster Recovery Planning Specialist) 7. CISA, ISACA Preparatory 6. ISec Grade Audit Methodology Course 7. IT Infrastructure Library (ITIL) V 3.0 8. Beside skill development, the speaker 8. ICT Guideline Implementation is confident on assisting/ consultation 9. Service Process Management services for IS Policy, Standard, 10. Risk Management procedure Development and 11. Certified Information System Handling of IS Project with any Security Professional (CISSP) volume. Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Overview of the Presentation Online Business & security Aspects Internet Banking Mobile Banking Information Security & Latest threat in IS Phishing attack under Network Security Short Description on Phishing Attack Question & Answer Session
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH 55 Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Online Business Models & Features can be summarized Basically, Online Business is the process of buying, transferring, or exchanging products, services, and/or information using web, the Internet, intranets, extranets, or some combination of these. In Short, Automation of commercial transactions using computer and communication technologies Facilitated by Internet and WWW Online Business Model: Business-to-Business: EDI 1. E-shops Business-to-Consumer: WWW retailing 2. E-commerce 3. E-procurement 4. E-malls Some Features: 5. E-auctions Easy, global access, 24 hour availability 6. E-Banking/ Online Banking Customized products and services 7. Virtual Communities 8. Collaboration Platforms Back Office integration 9. Third-party Marketplaces Additional revenue stream 10. Value-chain Integrators 11. Value-chain Service Providers 12. Information Brokerage 13. Telecommunication 14. Customer relationship Online Business Participants Online Business/ E-Commerce Problems Snooper Unknown customer Unreliable Merchant Online Business risks Customer's risks Stolen credentials or password Dishonest merchant Disputes over transaction Inappropriate use of transaction details Merchants risk Forged or copied instruments Disputed charges Insufficient funds in customers account Unauthorized redistribution of purchased items Main issue: Secure payment scheme E-Commerce Security Authorization, Access Control: protect intranet from hordes (Gang): Firewalls Confidentiality, Data Integrity: protect contents against snoopers: Encryption Authentication: both parties prove identity before starting transaction: Digital certificates Non-repudiation: proof that the document originated by you & you only: Digital signature Electronic payments: Issues Secure transfer across internet High reliability: no single failure point Atomic transactions Anonymity of buyer Economic and computational efficiency: allow micropayments Flexibility: across different methods Scalability in number of servers and users E-Payments: Secure transfer SSL: Secure socket layer below application layer S-HTTP: Secure HTTP: On top of http Online Banking Products Personal Financial Management (PFM) Mobile Banking Remote Deposits Online Enrollment P2P powered by PayPal RemoteFI Bill Pay Alert Center Institution-2-Institution Transfers Business Banking Online Lending CRM Marketing Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Internet Banking Internet Banking: With internet access increasing to everyone, Internet banking (also referred as e banking) has emerged to be the is the latest wonder for delivery of banking products & services.
Banking is now no longer confined to the were one has to
approach the branch in person, to withdraw cash or deposit a cheque or request a statement of accounts. In true Internet banking, any inquiry or transaction is processed online without any reference to the branch (anywhere banking) at any time.
Providing Internet banking has become a "need to have" than a
"nice to have" service. The net banking, thus, now is more of a norm rather than an exception in many developing countries due to the fact that it is the cheapest way of providing banking services
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Mobile Banking Mobile Banking refers to provision and availment of banking- and financial services with the help of mobile telecommunication devices. The scope of offered services may include facilities to conduct bank and stock market transactions, to administer accounts and to access customized information." According to this model Mobile Banking can be said to consist of three inter-related concepts: Mobile Accounting Mobile Brokerage Mobile Financial Information Services Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Mobile Banking Service Mobile banking can offer services such as the following Account Information Payments, Deposits, Withdrawals, and Transfers Investment Support Content Services
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Handset operability: There are a large number of different mobile phone devices and it is a big challenge for banks to offer mobile banking solution on any type of device. Some of these devices support Java ME and others support SIM Application Toolkit, a WAP browser, or only SMS.
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Security: Security of financial transactions, being executed from some remote location and transmission of financial information over the air, are the most complicated challenges that need to be addressed jointly by mobile application developers, wireless network service providers and the banks' IT departments. The following aspects need to be addressed to offer a secure infrastructure for financial transaction over wireless network :
Physical part of the hand-held device. If the bank is
offering smart-card based security, the physical security of the device is more important. Continued. Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Security of any thick-client application running on the device. In case the device is stolen, the hacker should require at least an ID/Password to access the application. Authentication of the device with service provider before initiating a transaction. This would ensure that unauthorized devices are not connected to perform financial transactions. User ID / Password authentication of banks customer. Encryption of the data being transmitted over the air. Encryption of the data that will be stored in device for later / off-line analysis by the customer. Continued. Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions One-time password (OTPs) are the latest tool used by financial and banking service providers in the fight against cyber fraud [6]. Instead of relying on traditional memorized passwords, OTPs are requested by consumers each time they want to perform transactions using the online or mobile banking interface. When the request is received the password is sent to the consumers phone via SMS. The password is expired once it has been used or once its scheduled life-cycle has expired.
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Scalability & Reliability: Another challenge for the CIOs and CTOs of the banks is to scale-up the mobile banking infrastructure to handle exponential growth of the customer base. With mobile banking, the customer may be sitting in any part of the world (true anytime, anywhere banking) and hence banks need to ensure that the systems are up and running in a true 24 x 7 fashion. As customers will find mobile banking more and more useful, their expectations from the solution will increase. Banks unable to meet the performance and reliability expectations may lose customer confidence. There are systems such as Mobile Transaction Platform which allow quick and secure mobile enabling of various banking services. Recently in India there has been a phenomenal growth in the use of Mobile Banking applications, with leading banks adopting Mobile Transaction Platform and the Central Bank publishing guidelines for mobile banking operations. Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Application distribution: Due to the nature of the connectivity between bank and its customers, it would be impractical to expect customers to regularly visit banks or connect to a web site for regular upgrade of their mobile banking application. It will be expected that the mobile application itself check the upgrades and updates and download necessary patches (so called "Over The Air" updates). However, there could be many issues to implement this approach such as upgrade / synchronization of other dependent components.
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Challenges in Mobile Banking Solutions Personalization: It would be expected from the mobile application to support personalization such as : Preferred Language Date / Time format Amount format Default transactions Standard Beneficiary list Alerts
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH What is Information Security? Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security is concerned with the- confidentiality, integrity, availability & reliability of data regardless of the form the data may take: electronic, print, or other forms. Information security threats CISSP / ISO27k implementers forum identifies the following threats: Imposition of legal and regulatory obligations. Cyber-criminals Malware, Trojans Phishers (active attack under internet threat) Spammers Negligent staff Storms, tornados, floods - Acts of God Hackers Unethical Employees who misuse/misconfigure system security functions Unauthorized access, modification, disclosure of, information assets Nations attacking critical information infrastructures to cause disruption. Technical advances that can render encryption algorithms obsolete
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Phishing attack under Network Security Network security attacks Passive attacks Active attacks
Passive attacks Active attacks
Network analysis Brute-force attack Eavesdropping Masquerading Traffic analysis Packet replay Phishing Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Short Description on Phishing Attack
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Module Flow
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Mohammad Tohidur Rahman Bhuiyan CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Introduction
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Reason for Successful Phishing (continued)
Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH Reason for Successful Phishing