Binghamton Bank Analysis

Infrastructure DivisionChloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau

Application DivisionZachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter

Binghamton Bank Risk Analysis

1

Infrastructure Risk Analysis

Application Risk Analysis Summary

Executive Summary

Aegis Analysis

Overview of Binghamton

Bank

2

Agenda



Executive Summary

Aegis Analysis


Bank

3

Overview of Binghamton Bank

• Largest bank in Northeast with headquarters in Boston, MA

• Specialized in commercial, retail, and investment banking

• $50 billion in assets, 20th largest bank holding company in the United States

• New CEO, Conner Wayne

• Rebranded slogan: “Building a Sanctuary for your Future”

4

Background of Binghamton Bank

Looking for enhancement of Binghamton Bank’s applications and infrastructure assets to protect clients’ assets as well as Binghamton Bank’s reputation

Software Upgrade Issues• Stopped payments for 2 hours• Large monetary loss

Web Application Issues• Customers could not access their accounts• Log-in troubles

Reliability and Reputation Issues• Customers still question the reliability of the bank’s IT systems

5

Binghamton Bank Challenges



Aegis Analysis


Bank

6

Executive Summary

Aegis Analysis

Risk Evaluation Tool• Designed and developed a risk evaluation tool that determines inherent risk, control

strength, and residual risk by assessing client responses

Risk Criteria• Operational

Risks associated with functions inside of the company and risks that affect the internal day-to-day activities

• FinancialRisks associated with business transactions including both financial dealings and non-monetary trading and sharing

• TechnologicalRisks resulting from failures or errors by IT devices or systems put in place by the company

• ExternalAny associated risk due to an uncontrollable occurrence outside of the company

7

Aegis Analysis



Executive Summary

Aegis Analysis


Bank

8

Executive Summary

9

Infrastructure

Risks• Reliant on external vendors for

ATM operations• Lacking emergency protocol

Consequences• Loss of ATM operations

therefore financial loss

Risks• Weak network access security• Lack of multi-tier

authentication

Consequences• Breaches to the database• Disclosure of information

1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security

Risks• No data encryption• Weak failure prevention• Outdated servers

Consequences• Long recovery time objective• Hacking company servers

Application

Risk• Sensitive client informationConsequences• Loss of sensitive client data• Prone to social engineering and

regulation violations

Risk• Difficulty performing upgrades

Consequences• Application failure• Reputational harm• Data loss

Risk• Critical to bank functions

Consequences• Serious monetary loss• Halt of Binghamton Bank’s

operations

Executive SummaryWith prospects of long term success, Binghamton Bank hired Aegis Consulting to identify current

risks which are identified below

1. Information Security – BODPS & NorthGo 3. Lack of Backup System - FIN2. Internal Monitoring – NorthGo & FIN

ATM’s Operational Financial Technological ExternalInherent Risk 53 40 78 67Control Strength 28 10 25 9

Residual Risk 38 36 58 60

• Processes 2,000-5,000 transactions per hour

• ATMs require 7 or more critical vendors to operate

• Negative press has the potential to reach national news

Inherent Risk

Technological• ATM’s do not have backup power plans in

place

External• Currently no transitional vendors in place• Binghamton Bank takes no precautions to

ensure that vendors are reliable

Control Observations

10

1. ATM Vendor Dependency

Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100

Note

Binghamton Bank Operations

• On average, ATM’s process 180% more transactions per hour than online banking systems

Reputation• Dependence on processes outside of

Binghamton Bank’s control• Potential for negative media• ATM failures could seriously affect reputation

of new CEO

Risk Priority

Vendor Reliability• Have transitional backup vendors in place for

each critical vendor• Create and practice vendor contingency plan• Increase awareness of vendors’ reliability

• Perform quarterly financial reviews• Background checks on vendors (SOC-II)• Annual debrief with vendor

management

Failure Time Prevention• Implement backup power system• Implement Automatic Transfer Switch (ATS) to

reduce failover time

Recommendations

11


Technological• Less than 25% of online banking operations can be

performed with failed servers• More than 60% of sensitive information would be

compromised in the event of a breach to the database• Binghamton Bank allows remote access which makes

the databases more vulnerable to breachesFinancial• Binghamton Bank would face greater than $200,000 in

fines in the event of non-compliance with regulations

Inherent Risk

Technological• No multi-tier authentication in order to gain

access to online banking remotely• Weak prevention for unauthorized access to

network• No encryption of sensitive information


12

Online Banking Operational Financial Technological ExternalInherent Risk 48 41 66 49Control Strength 30 10 24 20


2. Online Banking Remote Access Security

• Reputational Loss• Decrease in accountability to customers if

servers were to fail• Loss of sensitive information will result in

non-compliance with GLBA• Monetary Loss

• Each violation of GLBA can cause fines up to $100,000

• Safety of customers’ personal information • Hackers could disclose or utilize private

customer information

Risk Priority

Remote Access Safeguards• Require virtual machines for employee

remote access• Enable remote wipe for devices• Require 2-step authentication for employee

remote access; Example: Symantec• $72.25 TCO annually

• Include SSL certificates to encrypt data for all subdomains

• Require employees to access server information through a Virtual Private Network (VPN)

Unauthorized Network Access• Allow pre-authorized MAC addresses• Monitoring and logging system• Separate networks by critical information

Recommendations

13

2. Online Banking Remote Access Security

Technological• 10%–30% of critical infrastructures’ software are not

up to date• Less than 25% of operations can be performed with

failed servers• More than 60% of sensitive information would be

compromised if databases were breached• Allowing remote access to company systems can open

doors to potential risksFinancial• In the event of non-compliance with regulations,

Binghamton Bank could face greater than $200,000

Inherent Risk

Technological• Binghamton Bank only tests contingency plan every 2

– 5 years• Tests employees’ preparedness for online threats less

than once a year• Servers do not encrypt sensitive informationFinancial• IT employee operations not aligned with financial

goals


14

DR/Servers Operational Financial Technological ExternalInherent Risk 59 43 67 44Control Strength 25 15 20 18


3. Disaster Recovery – Server Security

• Monetary Loss• Each violation of GLBA can cause

Binghamton Bank to be fined up to $100,000

• Excess or unnecessary activities are performed by the IT department

• Failures decrease reliability of Binghamton Bank

• Weak ability to adapt to unanticipated events

Risk Priority

• COBIT governance framework would familiarize IT employees with business standards and goals

• Secured Socket Layer (SSL) certificates establishes a link between the server and a client

• 256 bit AES encryption in transit and while at rest

• Test employees for phishing schemes monthly• Test contingency plan annually • Upgrade to Windows Server 2012 R2

• 1,000 servers ~ $900,000• 2,500 servers ~ $2.1 million• 5,000 servers ~ $3.9 million• 7,000 servers ~ $4.9 million

Recommendations

15


Risks• Reliant on numerous critical

vendors to operate ATM’s

• Lacking emergency plan for failed vendors

• Alternative power source is unavailable


Risks• No encryption of sensitive

information

• Contingency plan not tested frequently

• Servers are not up to date


Risks• Weak preventions for network

access

• Sensitive information not encrypted

• Weak authentication for account access

2. Online Banking Remote Security

16

Infrastructure Summary

• Implement and practice plan to transition to backup vendors• Enable remote access safeguards (e.g. Remote wipe, virtual machines)• 256 bit AES encryption for disaster servers and online banking remote access• Upgrade to Windows Server 2012 R2 • Prevent unauthorized network access for online banking using allowed MAC addresses• Ensure accordance with COBIT 5• Implement ATM backup power systems

Recommendations



Executive Summary

17

Aegis Analysis


Bank

Application Risk Analysis

18

Operational• Stores sensitive client data that must be protected

at highest level to guard against hacking threats and data leaks

Technological • Failure of this application would lead to the

improper functioning of iReport

Inherent Risk

Operational• Employees lack proper training to use the

application securely

Technological• No levels of authorization• No scheduled dates for application upgrades and

maintenance


BODPS Operational Financial Technological ExternalInherent Risk 84 15 88 75Control Strength 38 44 20 41


Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100

Note

1. BODPS (Back Office Data Processing System)Description BODPS processes information from FIN and sends this data to iReport to create financial documents

19

• Poor internal login authorization security• Potential loss of sensitive client data• Sends data to iReport to create financial

documents• Poor security may lead to inaccurate

data, thus publishing faulty financial statements

• Violation of SOX and GLBA are possible (jail time and fines can occur)

Risk Priority

• Implement a two level authorization process for employees to address poor security• Example: Vendor Symantec for

application security• Schedule upgrades during low traffic

times• Using statistical analytics to locate the

slowest hours of operation• Implement mandatory training courses as part

of a control objective• Raise awareness of social engineering

threats• First steps to comply with COBIT

• Utilize ISO 27001,27002 to help begin the process of an Information Security Management System(ISMS)

Recommendations

1. BODPS (Back Office Data Processing System)

20

Operational• Web based application that incorporates

sensitive information of employees and customers

Technological• Vulnerable to online hacking• Excessive traffic can lead to potential overload

Inherent RiskOperational• Backup system does not demonstrate full

functionality• Internal monitoring system needs to be updated• Insecure website does not adequately protect

customer data

Technological• No levels of authorization• No systems are in place to handle increasing traffic


2. NorthGo

NorthGo Operational Financial Technological ExternalInherent Risk 84 42 56 15

Control Strength 56 15 20 40


Description NorthGo is an online asset management application

21

• Lack of login security and vulnerable to hacking

• Nothing in place to mitigate failure from application overload• Failure can lead to security vulnerability

and loss of customer confidence• Security threats can lead to the loss of

customer information• Violation of GLBA is possible (up to

$100,000 per each violation)• Reputational harm

• Insufficient internal monitoring system to alert Binghamton Bank of potential malfunctions

Risk Priority

• Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token

• Upgrade for increasing traffic• Apply backup system; Example: Simpana

• Implement application monitoring system• Example: DynaTrace

• $177/JVM instance for a three year subscription

• Provides alerts of potential risks ahead of time

• Schedule upgrades for low traffic times

Recommendations

2. NorthGo

22

Operational• FIN is the most critical application to business

functions• Integrates with all applications making it a big

threat if it were to fail• Binghamton Bank is susceptible to application

failures during software upgrades

Inherent Risk

Operational• There is no manual process to fall back on if

application were to fail• Insufficient internal monitoring system to alert

employees of application failure• No periodic compliance checks to make sure

new standards and regulations are being met


3. FIN (Central Financial Transaction Application)

FIN Operational Financial Technological ExternalInherent Risk 100 100 100 15

Control Strength 69 87 89 15


Description FIN is the central financial application of Binghamton Bank

23

• FIN malfunction• Lack of a fully functioning backup system• Functions cannot be completed ad-hoc• Critical bank functions can be halted by

FIN failure• Short Recovery Time Objective (RTO)

• Bottom-line is affected almost immediately

• Quick recovery crucial to prevent financial loss

Risk Priority

• Implement software for fully functional backup system; Example: CommVault Simpana• Allows physical and virtual backups• Include a failure recovery system • Web based and dashboard reporting

features• Live restore, highly scalable, unified

architecture – single console for DB admins

• $1270 per VM/$1420 per TB of data• Train employees in order to establish best

practices in using this software• Schedule backups and upgrades during low

traffic times

Recommendations

3. FIN (Central Financial Transaction Application)

Risks• No levels of authorization to

access data; vulnerable to hacking, data loss, and data altercation

• Employees not properly trained to identify social engineering threats

1. Insufficient Information Security

Risks• No backup system to continue

protecting data

• Functions cannot be completed ad-hoc effectively

• Critical bank functions can be halted by FIN failure

3. Lack of Backup System

Risks• Applications can fail unexpectedly

and Binghamton Bank is not prepared to recover quickly

• Failed application will hurt customer confidence and compromise information security

2. Insufficient Internal Monitoring Systems for Application Failure

24

Application Summary

• Company wide two level authorization. e.g. Symantec security tokens• Implementing internal monitoring system. e.g. DynaTrace• Full functioning backup system. e.g. CommVault Simpana• Backup data and test backup systems regularly • Mandatory employee training programs including detailed failure recovery plan

Recommendations



Executive Summary

25

Aegis Analysis


Bank

Summary

Infrastructure

Recommendations• Enable transitional vendors• Vendor reliability procedures• Automatic Transfer Switch• Contingency plan tests

Recommendations• SSL certificates• Virtual machines• Remote wipe• Pre-determined MAC addresses

ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security

Recommendations• Upgrade to Windows 2012 R2• Familiarize employees with COBIT• SSL certificates• Data encryption• Test contingency plan

Application

Recommendations• Implement security tokens• Provide application and

regulation training program for employees

• Establish best practices with COBIT

Recommendations• Implement internal monitoring

system• Implement a robust backup

system• Implement security tokens• Establish an ISMS with ISO

27001/27002

BODPS NorthGo FIN

26

Recommendations• Implement a more robust backup

system• Set up a failure recovery plan• Internal monitoring system to tell

when FIN is going to fail

Recommendations Summary

Questions?Thank you

27

Symantec:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf• Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices

both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc.• External

• Any associated risk due to an uncontrollable occurrence outside of the company

28

Appendix A

Symantec:

29

Appendix B

Simpana:http://www.commvault.com/simpana-software• Industry leading backup and recovery• Backup success rate of 95 percent• Maximizes utilization of storage and infrastructure• Powerful scalability• Broad flexibility• Simple and comprehensive management• Automated protection of virtual machines• Acceleration and simplification of disaster recovery using “virtualize me”• Disaster recovery cost reductions using Simpana Replication• Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process

to• need for third-party reporting tools eliminated because it is managed from a single console• allows for workflow automation of tasks that would otherwise be repetitive or complex• self-service access to information, which allows for maximized productivity• accounts for all data and reduces risk in a single, enterprise wide search• One-Click, Enterprise-Wide Legal Hold• 1270 per socket• 4.50 per user per month• 30 per mailbox• 1420 per tb

30

Appendix C

DynaTrace:http://www.dynatrace.com/en/index.html• No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and

application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to:

• Proactively spot and solve application performance issues before users are impacted.• smart and adaptive alerts to better adjust in future situations• code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application• increases customer satisfaction by delivering visibility, context, insight, and adaptability• Speed new applications and enhancements to market with DevOps functionality.• Pinpoint root-causes and optimize critical applications.• always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance

protection

31

Appendix D

ISO standards: ISO 27001, 27002• ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for

documentation, internal audits, continual improvement, and corrective and preventive action.• ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an

information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

• ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification.

• ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001.

SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply.• Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily

devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact.

32

Appendix E

COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to

business requirements• Process descriptions: A reference process model and common language for everyone in an organization. The processes

map to responsibility areas of plan, build, run and monitor.• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective

control of each IT process.• Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate

interrelationship with other processes• Maturity models: Assess maturity and capability per process and helps to address gaps.• The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original

CMM scale with the addition of an extra level (0) as shown below:• Level 0: Non-existent• Level 1: Initial/ad hoc• Level 2: Repeatable but Intuitive• Level 3: Defined Process• Level 4: Managed and Measurable• Level 5: Optimized

33

Appendix F

GLBA:• The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their

operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.

• The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

NPI:• any information an individual gives you to get a financial product or service (for example, name, address, income, Social

Security number, or other information on an application);• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for

example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or

• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

Fines for GLBA:• fines up to 100,000 for each violation• specific individuals fined up to 10,000 for each violation• criminal penalties of up to 5 years in prison

34

Appendix G

Cost Analysis for ATM Backup Power Systems• Cost of previous 2 hour failure= $100 million• If 1/5 of this cost were attributed to ATM failures = $20 million• Cost per unit of 1000 Watt gasoline powered generator= $250• Cost per unit of 300 Watt solar powered generator= $650• Cost per unit PowerMax 50 Amp ATS < $100 • Assuming cost to deliver/install is < $1750• Total Cost per unit <$2,500• More than 8,000 units could be installed without ‘cost’ to the bank• One Time Cost

35

Appendix H

36

Appendix I

Source: http://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/purchasing.aspx)

Cost Source for Server Upgrades

Calculations for Windows Server 2012 R2*

(# of servers*(cost per server))*(estimated discount)

1,000 servers: ((1,000)*(882))*(1.00) = 882,000 ~ $900,0002,500 servers: ((2,500)*(882))*(0.95) = 2,094,750 ~ $2.1 million5,000 servers: ((5,000)*(882))*(0.88) = 3,880,800 ~ $3.9 million7,000 servers: ((7,000)*(882))*(0.79) = 4,877,460 ~ $ 4.9 million

*Note: These prices are estimates and Microsoft can give a more accurate estimate based on the amount of servers that need upgrades

37

Appendix J

SOC- II Report• Filed in compliance with the Statement on Standards for Attestation Engagements (SSAE) No. 16• Based upon the 5 Trust Service Principles set forth in the AICPA Guide• Report filed by independent auditor• Reports on the controls a Service Organization has in place• User Entities (potential clients) review this to get a better idea of how reliable/ competent a

Service Organization is • Can be used before beginning or continuing to pay a Service Organization for a service or product

38

Appendix K

Binghamton Bank Analysis

Documents

Transcript of Binghamton Bank Analysis