The world has changed over the last few years, especially within banking. It processes – from retail transaction to market operation have been transformed by technology and continue to evolve. Today’ organization increasingly rely on the third party systems in order to provide many of their digital services. This opportunity has not escaped the attention of criminals, hackers and even nation states. This is problematic for the banking. Traditional approaches to risk management focused on a single malicious agent or single points of attack. So enhancing the information technology system security is very important and essential. Based on the knowledge got from university and working time at Shinhanbank Vietnam, this is a small research about this problem. We hope that this one will help us have a look at the information technology system security of banking.
MASTER OF BUSINESS ADMINISTRATION INFORMATION TECHNOLOGY FOR MANAGERS ASSIGNMENT TOPIC: SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY INSTRUCTOR: Dr HUY NGUYEN GROUP’S MEMBER: LE HUY HIEU VO THI KIM HOANG CLASS: MBAOUM 0516 – K21C HCMC – JUNE 2017 ACKNOWLEDGEMENTS We would like to express our sincere gratitude to Dr HUY NGUYEN who instructed, gave us a chance and inspired us to this project We also would like to express our thanks to Shinhanbank Vietnam for helpful information and knowledge With kindest regards, CONTENT TABLE OBJECTIVES .1 I DESCRIPTION ORGANISATION Introduction about Shinhanbank .2 Shinhanbank’s information system II GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY ……6 The concept of Information system The concept of Information security Overview of Information security in Shinhanbank Purpose of Information Security .8 III DESCRIPTION ABOUT SOME IT SECURITY ATTACKS Description Impact 10 Reason 11 IV SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY 12 Training 12 Enhacing Awareness of Bnaker and Customer 12 3S Programme- Shinhan Security Solution……………………………………………….14 CONCLUSION REFERENCES OBJECTIVES The world has changed over the last few years, especially within banking It processes – from retail transaction to market operation have been transformed by technology and continue to evolve Today’ organization increasingly rely on the third party systems in order to provide many of their digital services This opportunity has not escaped the attention of criminals, hackers and even nation states This is problematic for the banking Traditional approaches to risk management focused on a single malicious agent or single points of attack So enhancing the information technology system security is very important and essential Based on the knowledge got from university and working time at Shinhanbank Vietnam, this is a small research about this problem We hope that this one will help us have a look at the information technology system security of banking I DESCRIPTION ORGANISATION Introduction about Shinhanbank Shinhan Bank is a bank headquartered in Seoul, South Korea Historically it was the first bank in Korea, established under the name Hanseong Bank in 1897 The bank was reestablished in 1982 It is part of the Shinhan Financial Group, along with Jeju Bank Chohung Bank merged with Shinhan Bank on April 1, 2006 Shinhanbank is a member of Shinhan Group- the first civiliancontrolled financial holding company in Korea It has over 22,000 employess Now, it is a leading bank in South Korea and operates globally Image: Headquarter of Shinhanbank in Seoul, South Korea In Vietnam, Shinhan Bank’s history can be traced back to 1993 when Shinhan Bank first opened the representative office in Ho Chi Minh City and became one of the pioneers to promote the formal diplomatic relations between Vietnam and Korea SHINHAN BANK VIETNAM is headquartered at Empress Tower (138 - 142 Hai Ba Trung, Da Kao Ward, Dist.1 and Ho Chi Minh City) During the past 20 years of sustainable endeavor in Vietnam, SHINHAN BANK VIETNAM has always been trusted and chosen by Vietnamese and foreigners, domestic enterprises and foreign investors; including Korean community in Vietnam Up to now, Shinhan Bank Vietnam has 18 branches, transaction office in Ho Chi Minh City, Ha Noi, Binh Duong, Dong Nai, Thai Nguyen, Vinh Phuc, Hai Phong and Bac Ninh In near future, Shinhan Bank Vietnam will continue expanding branch network to many provinces and cities in Vietnam and constantly enhance service quality to best serve our dearest customers Business Principles: Core Value Vision: Mission: Shinhanbank’s Information System Internet Banking and mobile banking are online internet banking allowing customers to perform banking transactions anywhere, anytime via their computer or mobile devices with an internet connection You can inquiry and transact quickly and effectively Call centre offers the following services and supports to customers: account information inquiry, card deactivation/ lost card report, credit card inquiry and PIN change, register received card and inquiry branch information Online smart savings service and secured loan: Support customer auto money transfer to Term Deposit account via Internet Banking or Mobile Banking and you can use your Time Deposit at Shinhan Bank as collateral to receive your financialsupport immediately via Internet Banking/ Mobile Banking Bill payment service and Topup service: Free signing up for Bill Payment service is the easiest way to pay your bills: electric, telephone, cable, ADSL, air ticket, water and Top - up service allows customer to directly top up on their mobile phone account or buying code card of some telecoms companies and other supplier companies, the amount that customer request to top up of buying code card will be debited from their bank account Card services: ATM, Debit card, Visa card for personal and corporate customer II GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY The concept of information system According to Efraim Turban, Linda Volonino (2011), an information system (IS) collects, processes, stores, analyses and distributes information for a specific purpose or objective Basic functions of an IS are input, processing, output and feedback The collection of computing systems used by an organization is termed information technology IT refers to the technological side of an information system and is used interchangeably with information system An IS uses computer technology and networks to perform some or all of its tasks It can be as small as a smartphone with a software app that can snag tags to load a Website It may include several thousand computers of various types, scanners,, printers and other devices connected to databases via wired and wireless telecommunication networks The concept of information security According to Efraim Turban, Linda Volonino (2011), Information security is about risk to data, information systems, and network These incidents create business and legal risks, such as when operations are disrupted or privacy laws are violated IT risk management includes securing corporate systems while ensuring their availability; planning for disaters recovery and business continuity; complying with government regulations and license agreements; maintaining interal controls; and protecting the organization against an increasing array of threats such as viruses, worms, spyware and other forms of malware Managers have a fiduciary responsibility to protectthe confidential data of the people and partners that they collect, store and share Overview of Information Security in Shinhanbank 10 cooperation with external companies and sharing of internal and external information via a file server is growing Purpose of Information Security What is the goal of Security ? - To create the most secure system? T To implement the safest IT environment? o What we need to protect? IT system? m PC? a Business operation? n a g e a 12 II DESCRIPTION ABOUT SOME IT SECURITY ATTACKS The first case On 20 March 2013, Shinhanbank suffered from frozen computer terminals in a suspected act of cyberwarfare ATMs and mobile payments were also affected The South Korean communications watchdog raised their alert level on cyber-attacks to three on a scale of five North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as intelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks Image: ATM system did not operate Malware related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012 The Financial Services Commission of South Korea said that Shinhan Bank reported 13 that its Internet banking servers had been temporarily blocked and that Jeju Bank (100% capital of Shinhanbank) reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased Hackers temporarily shut down computer networks at banks in the biggest cyber attack on the nation in two years, prompting a probe into possible links with North Korea Government administration set up a cyber crisis group to investigate whether North Korea is responsible Computer shutdowns hit companies including Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting Corp., YTN and Korea Broadcasting System Cyber attacks are much easier weapons for North Korea as they cost far less than missiles or nuclear tests, but they can send more people into a real panic Furthermore, they can it at any time without worrying about international sanctions Disruption to networks at Shinhan Bank and Cheju Bank began around 2.20pm Malware code was distributed through targeted organizations’ servers, destroying their computers’ ability to boot This is the biggest and most serious cyber attack in two years There haven’t been simultaneous attacks on more than one target since 2011 All transactions at Shinhan Bank stalled pm afternoon Transactions through Internet and mobile banking were affected a part.Operations at the bank were back to normal later in the afternoon South Korea blamed North Korea for an attack on about 40 websites in 2011 The South also blamed the North for an attack on some banks a month later that kept almost 20 million clients from using automated teller machines and online banking services 14 Image : The computers were frozen during the attacks The second case In August 2016, some emails with malicious code were sent to officer’s email in Shinhanbank Vietnam Information technology department of headquarter reminded officer not to open that email But some staffs did not note and opened email The hackers used email attatchments to attack the bank internal network This one made some computers been infected malicious IT department closed banking software in 15 minutes to solve Fortunately, transaction time of Shinhanbank Vietnam starts from 8.30 am This one did not affect to transaction of customers but ATM system also did not operate in 15 minutes The third case 15 In January 2017, a customer of Shinhanbank Vietnam – Bien Hoa Branch reflect to the bank about losing millions VND in account suddently, although he had not made any transactions When banker checked statement, they saw a money tranfer by internetbanking But this customer insisted that he never made that transaction He said that when the bank gave him a security card with numbers to make internetbanking transaction He used iphone to take a photograph of security card and destroy this card Internetbanking tranfer need to have username, password and security numbers on the card He often lend other his iphone to use The bank cancelled the old security card and supply for him a new one Image: Security card of Shinhanbank Impact 16 Attacking to information technology system of a bank will affect so much to operation of that bank and lose customer’s belief because a bank is an organization to trade special goods – MONEY The reputation and image of a bank are very important These one are impacted by public communication and social networks Attacks to Shinhanbank made staff’s computer shut down ATM, mobile banking, internetbanking was affected All systems were paralysed although only in several hours This one affected to transactions of customers and partners The bank will lose some customers to go another bank Shinhankbank is a global bank Attack in 2013, South Korean stocks tumbled, with the Kospi Index losing 1%, compared with a 0.1% drop in the MSCI Asia Pacific Excluding Japan Index The won slid 0.5% to 1,116.30 per dollar in Seoul, according to data compiled by Bloomberg The yield on South Korea’s 2.75% bonds due December 2015 rose one basis point to 2.60%, according to prices from Korea Exchange Inc Reason Information security management is crucial and vital in banking operations In attacks to Shinhanbank, malware and malicious codes are frequently used by hackers to attack computer and software system of the bank The central processing system of banking could not react timely when be attacked Additionly, the frequency upgrades Corebanking system is also a chance for hackers to seize to attack They make banking system be paralysed and not to operate in a short time Lacking of awareness or consideration of some staffs is one of the main reason for hackers taking advantages of to attack to banking information technology system Attackers usually send attachments emails with malicious code or send linking lines and ask staffs/ customers to submit The quality level of staffs remains limitation Therefore, they can not adapt or follow modern technology 17 Customers have not enough knowledge and skills to protect their information So, they often are easy to lose basic information to prevent risks Hackers and criminal are very sophisticated to attack internetbanking system or transaction manipulation of customers Customers have to be cautious to protect themselves IV SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY Training Training is one of the essential and importan solution to protec information technology system security The bank’s officer always have to learn by heart about keeping the information secret of the bank and customers They can not been disclosure Processing, removing all information in document or file related to customers have a closed cycle Information/ documents being printed from banking information system are not allowed to go out the bank The bank should promulgate the moral standards the behavioral rules for staff to comply If there is any violations related to information technology system security, we need to have suitable disciplines If there are any incidients to happen, staffs should contact to IT department to solve When specialists will prevent information leak to protect our banking system Enhancing Awarenss of Banker and Customer Human element plays an important role in establishing and development of any organization A bank want to protect information technology system need to focus its staffs Investing on infrastructue, upgrading banking information system and applying technology advances are general tendency today of banks Howerver, they are only tools for human beings to use So, to implement an effective security programme is “there must be a balance between human factors, 18 policies, process and technology in the management of security in order to minimize the risks that arise in the business environment the most effective way” For officers of Shinhanbank, we should frequently remind and send messages to them in order to see the importance of information technology security The bank always has prevention measurements by messages or notes on the computer screensaver To protect informatuon security system is responsibility of everyone from staffs to Information technology Department You should note to the following basic problems to protect themselves For users To open an email without checking its authenticity like sender information Fail to install security patch of Windows and office To dowload and use game or screensaver from untrustworthy sites Fail to make bakup and test what has been backed up To regard information security as a duty of IT dept only To process sentitive matters using a common PC For Senior Management To blindly trust security solution To assign a person less trained to a security position and not to provide necessary education Fall to recognize how information security are business are co-related To take technical measures and open a network without considering management and operation factors Fail to understand value of information assets Repeated issues caused by short-term, temporary, patch-up solutions Delay in response 19 For IT Department To connect online without strengthening security To connect a test machine using easy-to guess ID and PW to online To delay patch update even when security weakness is found To access to system or network using a unencrypted protocol lije Telnet In spite of regular back up never conduct a recovery test on the backup To turn on unnecessary services roughly set rules for firewall ForTocustomer, theup bank should has detail instruction for them to master, protect themselves when Lack of providing security related training/education transactions The customers always keep secret information about banking When you get problem due to clearing-knowing or find out any suspected transactions They have to contact call centre or a nearset branch to support This one will help them prevent risk and loss 3S Programme- Shinhan Security Solution Data protection and disclosure control: policy-based processes and capabilities within the computing infrastructure to control who can access particular data and for what reason.Secure transactions: leveraging the identity infrastructure and access control policies to achieve an appropriate level of confidentiality, integrity and authenticity for every level of transaction, from interdepartmental connections to exchanges with institutions outside the enterprise.Secure systems and networks: enterprise IT systems and networks with embedded security capabilities required for an end-to-end solution With solutions ranging from assessments and design to implementation and management services — and the ability to deliver industry-specific security solutions such as identity management, data integrity, threat management and security governance This has the skills and expertise to assist enterprises making the shift from traditional security to security for the demand Services include analysis to pinpoint greatest risks of business damage; planning to focus on the logical next steps 20 for people, process and technology that can have the greatest benefit; implementing integrated, closed-loop solutions to close gaps; managed services options; and auditing and continual improvement These services seek to both protect business value from threats and enhance flexibility to take advantage of business opportunities Setting up Security-enabled software offers a strong security management portfolio that we can use to provide proactive, integrated security management in your business, including security event management, security policy and compliance management, identity management and remediation Solutions that help the bank: Integrate data and content, Optimize collaboration and human interaction, Develop software and systems and Manage and integrate transactions Setting up Security-rich hardware includes an array of security capabilities we can use to: Facilitate identity authentication, including single sign-on, Maximize data security, both in storage and in transit, Enforce and refine security policyand Identify and dynamically recover from intrusion and data corruption Document security programme This is optimal to secure a company’s digital information It provides an integrated security to schema as it secure the entire Life-Cycle of the electronic document from generation to transmission and disposal, based on strong encryption and controlled access Document Security Uses (Authorized users) are contractors of third party entities that are intended to use or interact with the information being shared However, these users are not employees of organization and not have Document Security solution installed on their computers Decrytion/ Encryption file 21 Dycryption changes an encrypted document to a regular document This allows the document to be opened by a third party (customer, other company…) Encrypted files can be opened only on PSs within the bank Simply opening a regular document does not trigger encryption but Save after edit will trigger encryption Encrypted documents can be open on PCs within the bank but can not be opened by third party and therefore document decryption is required for external file transmission Terminal Administrator Assigned to each department and take the overall responsibility and authority for terminal operation and management within the assigned department Conduct necessary tasks to fix defects, transfer devices and manage other devices Verify accessibility of a user trying to access to information processing system and make a user to set up/use a login password and change PW every three month End user Assign a password and run a screensaver to keep person other than himself from running terminal Execute operation in accordance with this procedures Use a terminal as instructed and immidiately report any operation issue to a terminal administrator Restriction on using Software and hardware A head of each department must ensure that any illegal or unlicensed software is not used A head of each department must ensure that any unauthorized hardware is not used Terminal Protection A head of each department should specify an end users to each terminal and let them use a PW and screensaver to block any access from other than the assigned person 22 Password must be longer than digits with number, alphabetic and special characters and it must be updated at least every three months In principle, every terminal is prohibited to access any wireless device Operation-specific terminal is designated It can not be used for other than specified purposes nor be imported or exported Also mobile computing devices such as laptop can not be used You must not share your terminal with others nor save any important information on your terminal Every terminal must be protected with security features such as logging for major operational activities control, block of wireless communication On a terminal, a user can not access to additional storage device like USB Device Return or Collection When returning a device, delete all information on the device after separately storing them and the return it A terminal administrator makes sure that all data is unrecoverble when collecting a device Unmanned Device Protection Install and regularly update vaccine software in unmanned devices However, it may not apply for any unmanned device that Windows OS is not installed Implement access control in an unmanned device that allows only necessary communications In principle, transfer of major data is encrypted in an unmanned device Use of software An end user must not install or distribute unauthorized software for personal use (i.e game hacking tools, remote access control) An end user must not illegally replicate or install a unlicensed software 23 An end user must not acquire internal/external user information, unauthorized/unapproved information in a way of hacking or scanning An end user must not delete or change security program installed on a terminal for the purpose of detour Use of storage device In priciple, you are not allowed to use external storage device such as USB, CD-RW However, when an external devices is required for business purpose, you can use it after getting an approval from your department head An IT security administrator can exceptionally approve use of external storage in following cases: continuous long term usage is required and an approve from a department head is not possible CONLUSION In short, the scope of today’s security challenges and opportunities continues to grow To implement a security solution that can contribute to the success of banking, find solutions when you protect your mission-critical systems is very important .Hardware, software and services to address your immediate security needs is essential Information system security play an important role in any organizations It is the vital thing of banking system By this assignment, we hope that there is overview about banking system, especially in Shinhanbank Therefore, we have suitable solutions to maintain and protect the banking system to operate safely and effectively Hope that, the bank will update, upgrade and apply new technology and deplying banking modernization 24 25 REFERENCES Efraim Turban, Linda Volonino (2011), Information Technology for Management, 8th edition, John Wiley & Sons, Inc Internal Security of Shinhanbank Some other documents and websites Websites: www.shinhan.com.vn https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack http://www.bbc.com/news/world-asia-21855051 ... exchanges with institutions outside the enterprise.Secure systems and networks: enterprise IT systems and networks with embedded security capabilities required for an end-to-end solution With solutions... Security-rich hardware includes an array of security capabilities we can use to: Facilitate identity authentication, including single sign-on, Maximize data security, both in storage and in transit,... security as a duty of IT dept only To process sentitive matters using a common PC For Senior Management To blindly trust security solution To assign a person less trained to a security position