Excess Or Inadequate Humidity

Published Date: 02 Nov 2017

Figure : Risk from different anglesIn order to continue through the topic first of all we should have the basic idea about risk. According to the perspective of IT security risk is a weakness that could lead to loss of availability, confidentiality or integrity of a particular computer service or program.

When we are considering about the risks we should have the clear idea of the risk categorization. Risk can be two types where it can be occurred as a result of natural disasters or man-made.

1.1.1 The effect of natural disasters to information assets in the selected organization

Natural disasters can strike in anywhere with the unpredictable loss to the people. A disaster which occurs as physical phenomena, Ex: - floods, earthquakes, Tsunami, hurricanes and tornadoes can be supposed a natural disaster. As an Asian country the word "Tsunami" is really familiar to us since the year 2004. Let see how these natural disasters or environmental behaviors can be mapped with the information assets of the selected organization.

Excess or inadequate Humidity

Figure : Moisture in the airThe mentioned point is directly affecteds or threaten to the reliability of the computer network. The well-known fact is most of the banks in our country has been automated their day to day work load with computer systems. All the nodes have been connected to a centralized location which we are known as a server. If the percentage of moisture in the air is high it can increase the oxidation. This will directly affect for the connectors, conductors and electronic circuits which used in the server room. As a result of this activity it can generate current paths which is having high-resistance. This will lead unpredictability of the circuit performance.

If the percentage of the moisture in the air is lacking, this will increase the possibility for peripherals "zapping" because of the static-electricity.

Poor quality of the Power

Figure : Power failureIn many situations of erratic performance of the computers, catastrophic system failures have been attributed to the quality of the power. There are three main reasons have been identified for this problem. The provided electricity often attacked by the circumstances of under voltage, spikes which cannot predict, power drops and pollution from the high frequency noises. As a result of this power fluctuation it affects to the internal temperature of the computers and degradation of the components.

Water damages/floods

When we categorize risk this scenario has been ranked in the second position among the other situations. Rather than the common water problems the well-known fact is computer networks are using air conditioners in order to main/keep a static temperature inside the room. In some times water can be leaked as drops from those A/C. This situation might be caused to huge catastrophes such as power shorts and fire. Floods also can easily make this situation without any argument.

Fire and Smoke

These two conditions are making obvious threats to the computer installation. The particles of the smoke are deposited on the disk surface by rendering the data which cannot recover. Excessive temperature also can lead to make destruction of recorded media and make reasons for the immediate breakdown of computer electronics. Instead of doing permanent harm to peripherals at the process of writing data to disk can lead to destroy the content of the files which are being opened at that process execution. There is also an alternative event can be occurred as a result of the water and the Halon fire retardants. This will be directly affected in destructive of electronic devices. If those computer devices being discharged at the time of applying the power to the circuits the mentioned occurrence will be happen.

1.1.2 How to overcome the risk of Natural Disasters

When consider on how to overcome the risk which is the cause of natural disasters, the well-known fact is we cannot stop of occurring these effects. But we can defense them and we can self prepared for the situations. According to the ISO standard 14644-8 and 14644-9 it describes the how the server room can keep clean in order to face any event.

Let’s briefly discuss the abstract of ISO standard 14644-8 : 2006. This regulation is actively working on AMC (Airborne Molecular Contamination) between 100 and 10?12 g/m3 under the status of Cleanroom operating environments. This regulation covers the categorization of Airborne Molecular Contamination (AMC) only Cleanrooms. According to the regulation it controls the specific chemical elements in terms of floating concentrations.

The ISO 14664-9 was established in the year of 2012 in order to maintain the levels of cleanliness on solid surfaces by the concept called "particle concentration" and environment application which are related and controlled.

While maintaining the server room cleanliness according to theses two regulation organization will be able to optimize the server room hardware performances and also at the same time can reduce the repairs and recover damaged data will be not exist further more.

In order to fireproof the server room there are some steps have to follow.

Try to react to the fire before it gets out of control

In this scenario we can use most sensitive laser fire detection system (which can detect the fire on the primary stage), use most sensitive heat detection systems in order to act in the primary level of occurrences of smoke and ionization. All these suggested solutions can only inform/alert people about the incident. Then the staff can react before this flame makes huge damages to the assets.

Use of fire suppression systems

One of the most common situation is using water sprinklers. But it is not only the best choice in order to extinguish the flames inside of a computer server room. Reason is water can be caused some irreparable accident to peripherals and other critical electronic items. Water should not release as it is in the natural (liquid), it should something like based on the gas. The ozone-depleting and residuous Halon are the earlier used fire suppression technologies. Now a day the same methodologies have enhanced by non corrosive, environment friendly and non toxic.

Cover the server room by using fire containment solutions

How can we transform the server room in order to sustain from the fire? There is a company named Firelock they have invented some special panels withstand up to 2000oF. The key specialty of this panel are it reduces the actual fire temperature into 125oF or less and it can sustain up to 4 hours of the direct fire.

There is another solution we can use in order to prevent from the fire attacks and that is the use of Fire-stopping cable penetration.

Recover from floods/waters damages and power problems

The best practice in order to prevent from the water damages and flood attacks server room can be establish isolated from the work environment by providing more security. Some climate detection systems can be established in order to detect the temperature changes.

In order to prevent from the power attacks can be used powerful back up generators and stabilizers to keep the power in a static manner without making any harmful changes/damages to the server room equipments.

1.1.3 Man-made events which can be threat to information assets in the selected organization

As I mentioned at the beginning of this report risk can be act in two ways and this is the most threatening or harmful risk type which has spread among the global in a sophisticated manner. According to the IT security experts in year 2011 they have categorized risks by looking from different perspectives which can mislead the day to day operations of bank institutions.

Risk of the Mobile Banking

Smart phones are being used for banking purposes and at the beginning it showed only the plus points to the bank institutions. This was spread out rapidly among the people but in the course of time that mobile security which was used not capable enough to provide the expected security aspects. As a result of the lack security it was a major challenge for banks as well as credit unions. In simple terms when organizations are alternate the traditional online banking into mobile it did not work 100% as their expectations.

There are some good examples, Bank of America, TD Ameritrade, Wells and Chase have implemented the mobile banking applications. But all of them had to suffer from the security flaws. There was a research on vulnerabilities conducted by the Citi Group in the year 2009. Finally what they have discovered was some of the banking applications are stored most sensitive user information by keeping them as hidden on mobile phones.

After considering from all the perspectives mobile banking was fairly limited among the people. But still the robustness of the developing mobile application have improved. "Many banks seem to re-experiencing all the hard lessons of the previous online banking techniques." (McNelly – Analyst of Aite Group). Malware attacks also spread fast among the mobile communication, Zeus attacks such as Mitmo are aimed point blank in the mobile devices.

"Mobile banking applications will not be a prime objective for imposters" (Rivner – Security Researcher from RSA). He trusts mobile browsing will be more focused in the coming future. Reason is most of the people are using their smart phone to browse to the online banking websites in order to execute their online banking transactions.

Web 2.0 and Social Networks

Today the most of the mobile phones have the accessibility of social media. Facebook and Twitter are the most powerful applications among the others. "With more banks on social networks, expect to see more fake sites using social networks, like Twitter and Facebook, to try and trick people into giving up vital personal information" (Rasmussen – Internet Identity’s chief technology officer 2011). This includes banking login information and social security figures. External threats are not only the risk which occurs due to this scenario. The employees who work for the institutions have the freedom for use social networking inadvertently. They can expose most sensitive information via using these networks. There was an incident occurred inside of a hospital in California, five employees had been using a social network to share any personal information about hospitalized patients. This only a significant example what happens if employees are violating social media policies. In order to prevent the internal hazard of information leakage it is really important to inform and practice employees for social networking policies. The employee should know when and how to social networking while they doing their job and what are the information should not share.

Malware, DDoS attacks and Botnets

The distribution of denial of service or DDoS attacks can seen as a result of the WikiLeaks incidents. Inspired by this WikiLeaks attacks now it is a major threat to e-commerce sites and the Botnet attack are another area which brings additional income for fraudsters. While banking institutions take down the attacks of the "Mariposa Botnet" they also had to recover from the challenges coming from the DDoS attacks as well.

Now a days attack has been more sophisticated. The world famous banking credential stealing Zeus, the Trojan has been used by number of criminal stations among the world. In year 2011 Zeus attacks had made $100 million losses in the finance around the worldwide according to the investigation by Federal Bureau. In year 2007 same kind of situation had been spread named Trojan and Zeus is the latest version which is having varieties. "There is a good opportunity that intruders will soon arise with more powerful methods to steal" (Rasmussen - Internet Identity’s chief technology officer 2011 ). Concerted attacks had been spread against the online banking systems. At this point Eisen who is the inventor of the "41st Parameter" said "The amount and velocity of fraud could force new and stronger authentication methods and more stringent procedures, such as dual signatures and dual authentications".

Phishing attacks

Phishing attacks also moderate into new versions named smishing and vishing. These Phishing and vishing have ranked in the 3rd among the other fraud threats. One recent attack was identified from the account holders who belongs to military forces in the USA. And also there is another separate attack for the World Bank officials. It is just the latest spree attack for the banking security. They used some spoofed websites in order to fraud the users, malicious emails and telephone calls. All these various approaches that use in order to steal the banking credentials. On the other hand,

The basic idea of this is stealing someones username and password and uses it for credits, merchandise purposes and use it for services by acting as the real user. "Phising attack" is the most famous scenario of the given criteria. The following example provides the idea to understand the problem.

Assume a person is using an American Express credit card. He/she has got an email saying that he/she has won the $10000 from an annual raffle which was conducted by the bank. At the end of that it is asking from user "if you are the actual user click on this link to identify the identity of the user". Actually the well-known fact is we also click on that link without thinking twice. Reason is the format of this email is 100% similar to the actual email formats which are sent by the bank. After clicking on that link page will connect to a page which is actually similar to the official site of the bank and there it is asking the user to give the username and password and card details. This place that the hacker is really hacked the user. Reason is now the user has given all the required details and those details will be passed to the hackers database instantly via clicking on the submit button.

This is the most critical side of the identity theft that most of the people are caught today. Finally as a result of this the reputation of the bank gets totally or partially damaged.

Inside Attacks

There is a possibility of make malicious threats or attacks and intrudes to the organization of the unhappy employees. But this inside threat can be direct by an outside party who require to access to the system and the servers via using fake credentials act as an internal employee. Kirk Nahara who is a privacy expert and attorney, he says many compromises internal data can be copied back to the employees. This is especially true when the data that compromises causes of the identity theft. But Nahra mentioned as soon as possible pointed out all the compromises are not malicious and intentional. The problem was financial institutions have not set the proper limitations to the databases where that contain the most sensitive and confidential information.

WikiLeaks is the most prime example of how the internal party can generate a significant risk to the organization.

1st Party Fraud

1st Party Fraud continuously poses challenges in the banking security. This is also known as "application fraud", "sleeper fraud", "advance fraud" and "bust out fraud". This is happening like, naturally involves a client applying for and accept credit with negative intention of payback. The 1st Party Fraud candidate can use fake identification or impersonate their actual identities. Jasbir Anand (Senior Solutions Consultant & Security Expert at ACI Worldwide) mentioned between 10% to 15% of bad debt losses were occurring as a result of the 1st Party Fraud. And he already says criminal gangs who specialized and equipped in the field now focus on financial institutions with fake identifications and expert knowledge of leading practices. Once the identity is being established intruder makes credit and apply those credits for many financial products.

Skimming

The technology which comes behind the skimming is more sophisticated and act in rude by challenging the banking security. Both flash attacks and Blitz involve the concurrent withdrawal of credits from number of ATMs in multiple locations. Sometime this scattered all over the world.

Avivah Litan (VP and Analyst at Gartner) says, flash attacks poses by growing the challenges, still those flash attacks not detected by the fraud detection systems.

Director for the Payment Card Industry of Security Standards Council in Europe region, in order to transfer skimmed credit card data fraudsters are relying on wireless technology.

Chuck Somers (VP of ATM Security & Systems for Diebold Inc) says, if anything away from the real authentication would break the ice to change the entire infrastructure. Some card holders are having the privilege to use the authentication type as contactless radio frequency or chip technology (EMV) in order to handle payments. These two areas have addressed certain fraud concerns which are emergent.

1.1.4 How to overcome the risk of Man-made threats

Mad-made attacks are the most crucial threat among the global. The reason when it compares to natural disasters mad-made risks can upside down the entire process of any institution. And also we have to defense our systems from attacks by both active and passive intruders. Let see what type of security concerns that we can use in order to overcome the attacks which was mentioned on 1.1.3 sub-heading.

Protect the user authentication by using strong password policies

When the system stored the password as it (plain text) in the database there is a huge risk of attack by the intruders. We have to use a proper algorithm to encrypt the password. Most of the systems are using, the user entered password pass through an encryption algorithm. This algorithm generates a one-way hash function from that password. The advantage of using this method is, this methodology doesn't allow to reverse that one-way hash text into its original plain text. When a user provides the username and password, this password will pass to that encryption algorithm and it generates the one-way hash text. Then that text will be compared with the hash text which is already stored in the previous. If both matches system will accept the user.

There is another secured method and it is known as Challenge Handshake Authentication Protocol (CHAP). In this case the server pass a challenge (simply it is a key) to the client and it is a mathematical combination of the user’s password. The user’s password and the challenge which was sent by the server passes through the MD5 hashing algorithm (this is the formula). There a hash value or mathematical response will be generated. The generated hash value will be sent to the server to check the authentication. And the server is being used the same key to generate a hash text with an earlier stored password on the server. Now the time to match the hash value which was sent by the client and the resulting value. If both the hash values are matched client will be granted the access. The key benefit is entire process is restricted only to the client and the server and no additional party at all to grab the credentials.

Introduce social media policies to the staff

In this case I also have an unforgettable experience in my life. I was working in a hotel before start the HND and at that time Facebook was really famous among the staff members include myself. Most of the employees of our department they used their official work time to surf in the Facebook. In course of time our management has realized there is something was misused by the employees. Finally what happened was IT department limited internet by blocking the access to Facebook. This is how the hotel management was made policy in order to stop the misuse of the internet by the employee during their office hours.

Other than this an institution like bank they can follow some different strategy to overcome the risk. Bank institution is a collection of several departments (HR, credit, accounts, IT, marketing, security and public relations) and the name of this concept is cross-functional teams. Bank management can select each member from each department. What these selected members can do is? They can discuss on the objective of introducing a social media policy and are they going to permanently ban the social media from the organization or are there any possibility of use that social media to market process in order to promote the bank. Likewise the team can have several meetings and come to the best conclusion.

Involve employees is the next most practical solution in order to overcome the risk. "If your organization is not using social media to engage employee, it is risk obsolescence" (Len Devanna – Director of media strategy and social engagement at EMC). What EMC did was they did not ban the social media networks. They started their own internal social media network for the employees and their expectation was how the digital collaboration will help employees to be comfortable and acquainted with their day to day work life.

In order to prevent from the fraud attacks banking institutions should take the following steps in order to overcome the risk.

Develop analytical models and strategies in a dynamic way

Evaluate the implications of the fraud according to the bank’s strategy

Model the customers by considering the demography and develop strategies

Develop the pan-channel authentication for customers

Improve strategies for IT in holistic decision making