HSBC BANK

SECURITY SYSTEM DESIGN

8/25/2011

PARTICIPATION

W U L J R Perera M D C D Somasiri C D Godagama D V H A K Dodangoda

08/AS/CI/063 08/AS/CI/072 08/AS/CI/016 08/AS/CI/010

Department of Computing and Information Systems - SUSL

Information Security
Information Security is the protection of data against unauthorized access.

Basic Principles of Information Security

Confidentiality - Prevent the disclosure of information to unauthorized individuals or systems. Integrity - Data cannot be modified undetectably. Availability - The information must be available for the computing systems used to store and process the information. Authenticity - Necessary to ensure that the data, transactions, communications or documents are genuine. Non-repudiation - In law, non-repudiation implies one's intention to fulfill their obligations to a contract.

Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.

Information Security Systems

Many organizations are solely based on information stored in computers, without this information, it would often be very hard for an organization to operate. Information security systems need to be implemented to protect this information. Information Security Systems protect information and Information Systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Security Design Principles

Security Design principles are used in designing Information Security Systems. Achieving the goal of the Security System is satisfied by using the security design principles in a well organized way according to the Mindset of the organization. Security design principles can be organized into three logical groups. 1. Structure 2. Logic and Function 3. System life Cycle

THE HSBC BANK

HSBC Holdings plc is a United Kingdom-based public limited company.HSBC is one of the largest banking and financial services organisations in the world. HSBC's international network comprises around 7,500 offices in 87 countries and territories in Europe, the AsiaPacific region, the Americas, the Middle East and Africa. HSBC provides a comprehensive range of financial services to around 95 million customers through four customer groups and global businesses: Personal Financial Services (including consumer finance); Commercial Banking; Global Banking and Markets; and Global Private Banking. The Bank is also an international dealer in derivative instruments and has mortgage banking and brokerage operations.

Mind set of HSBC

HSBC collects only personal information that is relevant and required to understand the financial needs and to conduct the business. Uses the customers personal information to provide with better customer services and products. May pass the personal information to other companies or agents of the HSBC Group, as permitted by law. May require information from time to time to disclose the personal information to Governmental or agencies, under proper authority. Aim to keep the personal information on bank records accurate and up-to-date. Maintains a strict security system designed to prevent unauthorized access to the personal information by anyone, including the staff.

Security Concerns of HSBC

Security is one of the top priorities of the bank. The HSBC will strive at all times to ensure that the personal data will be protected against unauthorized or accidental access, processing or erasure. The secure area of HSBCs website supports the use of Secure Socket Layer (SSL) protocol and 128-encryption technology - an industry standard for encryption over the Internet to protect data.

Security System of HSBC

The Security System of HSBC is designed very well using several security design principles to keep its physical security, data integrity and data security. Data security Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. HSBC always gives priority to its customers privacy and the security of those personal data. Physical Security Physical information security means to access that data apart from protecting it electronically. Physical attacks to acquire sensitive information do frequently occur. Sometimes these attacks are considered a type of social engineering. HSBC uses proven physical security mechanisms to achieve physical security for all the data and also currency in the bank. Data Integrity Collect the personal information to carry out and administer the services to customer and in an effort to improve the customer experience. Without such data the Bank may be unable to open or continue accounts or establish or continue banking facilities or provide banking services. HSBC uses mechanisms such as encryption and password protection to keep data integrity.

Security Design Principles Used in the Security System of HSBC

1. Structure 1.1. Clear Abstractions
The system has simple, well defined interfaces that clearly represent the data and functions provided. Using this security design principle provides with the advantage of promoting analysis, inspection and testing and also hides the internal information system from the user while ensuring the correct and secure use of the system. User Interfaces For example we can consider the User Interface which clearly represents the data and functions for login in.

The log on process for Internet Banking is in three steps; 1. Request to input Username 2. Request to input Memorable Answer 3. Request to input Password using the virtual keyboard, which when combined with the Username is unique to the user.

1.2. Minimized Sharing

No computer resource is shared between components and subjects unless it is necessary to do so. Using this security design principle provides advantages such as simplifying the design, simplifying the implementation and also protecting the user. Firewalls HSBC uses Firewalls to minimize sharing. Firewalls and monitoring devices prevent other unauthorized Internet users from accessing our computer system. A personal firewall helps to protect the information held on your system from any unauthorised access attempts.

1.3. Reduced complexity

Complexity of the system is reduced to identify vulnerabilities easily. Through this the correctness and the completeness of the system could be understood. Potential vulnerabilities can be detected as soon as possible and this is considered as an advantage.

1.4. Trusted components

Components are trustworthy. HSBC always determines to use trusted components in their implementations. The advantage is that trust in a component and the trustworthiness can be measured.

1.5. Minimized security Elements

System does not have trusted external components. HSBC always uses its internal components and does not get help of any external components. This is a standard found in this organization. The advantages in using this security mechanism are that it reduces cost and decreases the complexity of security analysis because components are not included from the external and the components internal are trustworthy.

1.6. Least privilege

Each component is allocated sufficient privileges to accomplish its specified functions, but no more. HSBC uses this mechanism to prevent components from referring to other functions of the system which may cause to failure. Advantages found by using this security principle are; Security impact of failure of corrupyion of the component is minimized as well as security analysis of the components is simplified. For example customers of HSBC have their own Accounts with full functionality while they are not given the opportunity to refer others accounts. A customers account cannot also be accessed by any outsider.

1.7. Trusted communication channels

Features: Channels are restricted to potential access. Avoid misuse of channels. End to end communication.

HSBC uses Encryption as one of the techniques with this security design principle. Encryption and Decryption Encryption is the conversion of data into a form that people cannot read. Decryption is the reversal of that process. When managing HSBC account online, encryption software scrambles your information into an unreadable form every time you enter it.

1.8. Continuous data protection

Continuous protection is given to the data to keep the information integrity, privacy or confidentiality. HSBC has taken steps to give the best continuous protection to their data by installing well certified anti-virus software to their system. For example installing anti-virus software helps to protect the system from known viruses. This is a vital piece of software to have and to use. Also it's important to keep this software up-to-date to protect against more recent viruses

2. Logic and Function 2.1. Economic security

The sufficient and correct security mechanisms are selected by HSBC to keep up the required performance. Using Back-ups Backup makes copies of data so that these additional copies may be used to restore the original after a data loss event. Backups are useful primarily for two purposes. First is to restore a state following a disaster. Second is to restore small numbers of files after they have been accidentally deleted or corrupted.

2.2. Ergonomic security

User Interface for security functions and supporting services are intuitive and user friendly. They also provide appropriate feedback for user actions that affect policy and its enforcement. HSBC always concerns its ergonomic security and has taken actions to provide the user with a better knowledge how to use the system more securely and more effectively. For this purpose training and guidance is provided. There are customer services established to answer the questions and provide guidance to the customers when using HSBC services. Customer Services and Guidance Protect your personal information. Use anti-virus software. Use a firewall. Use strong Passwords. Back up important files. Learn what to do if something goes wrong.

2.3. Acceptable security

The level of privacy and performance of the system is consistent with the HSBCs customers expectations. Time out facility Once you logged on to Internet Banking, after ten minutes inactivity the system will automatically end up your session to help prevent unauthorised access. HSBC has a service in Internet Banking called Global View. Like Internet Banking service, after ten minutes inactivity it will automatically end your session to help prevent unauthorized access. 7

3. System Life Cycle 3.1. Use Repeatable, Documented Procedures

Using repeatable and document procedures means that the techniques used to construct a component should permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the creation of a component that is identical to the component created earlier that may be in widespread use. HSBC uses this design principle so that it can use its techniques and development methods for future development

Special Security functionalities used by HSBC

Secure key Staying safe online HSBC security recommendations
01. Secure Key HSBC Secure Key is the latest of these innovations. Throughout history, people have always found ingenious ways to protect what's important to them. It's the same online. The new HSBC Secure Key is designed to make sure only you can access your personal information. They are the first UK bank to introduce a two factor authentication device like this. Some devices are larger and require the user to insert their card, this device is one of the smallest and simplest to use. Two-factor authentication: The Secure Key is a two-factor authentication device that will help protect you from internet banking fraud. Devices like these are commonly being used for secure transactions all round the world. With this technology you can enjoy far more secure online banking services. Two-factor authentication means you not only need a password or PIN, but you also need a device unique to you, like the Secure Key. Fraud protection With Secure Key you have an extra layer of protection. You need your PIN number AND your personal Secure Key. Peace of mind Secure Key gives you greater peace of mind because you have this extra layer of security.

Easy to use Just switch it on, enter your Secure Key PIN code and it'll give you a unique, one-off six digit pass code each time you log on. It's as simple as that. Small & portable It's about the same size as a credit card so it should easily fit in a wallet or purse. You can take it with you and log on to Internet banking anywhere you choose.

Benefits:
Much more secure: The code you need to input online is displayed on the device and therefore seen only by you. Online fraudsters can not steal something you physically have. This extra layer is something unique for each user. Protection for transactions: All Internet banking transactions (such as fund transfers to nondesignated accounts) need to be authenticated by a device held only by you.

02. Staying safe online Install Rapport Software Install anti-virus software Update your browser Keep your software up-to-date Dont share private information online Look after your paper statements Understand how criminals use the internet Avoid online fraud and con tricks Learn to spot fake emails and fake websites Protect your mobile phone

Install Rapport Software Get an extra layer of protection when you bank online. HSBC recommends that you install Rapport software from Trusteer. It's free, easy to install and simple to use. It works with the security software you already have to make online banking safer. Install anti-virus software Anti-virus software protects you, your privacy and your money. Viruses are bad news. They steal personal information, take over your PC, pop up unwanted adverts and they can even use your computer to attack other people's computers. Anti-virus software protects you against all of them. To work properly, anti-virus software has to download updates regularly over the internet. You can download Microsoft Security Essentials or McAfee Virus Scan Plus. 9

Update your browser The program you use to look at websites is called a web browser. Modern browsers warn you if you visit fake websites and it is harder for viruses to infect them. It makes sense to use a modern web browser. If you have updated your computer regularly, it is likely that you are already running either Microsoft Internet Explorer 8 on Windows PCs or Safari 5 on Macs. It is a good idea that you install an up-to-date web browser. Keep your software up-to-date It is harder for viruses to infect updated software. The criminals who create viruses take advantage of software bugs to infect computers. Software companies fix bugs with free downloadable updates. It is a good idea that you install updates for your software as soon as they become available. Most modern software will check for updates automatically. Dont share private information online All private information is useful to people who want to steal your identity or break into your Personal Internet Banking. You wouldn't give this information away to a stranger in the street but if you use social networking sites, such as Face book, Twitter or MySpace, you could be over sharing personal data. You may want to think carefully about the information you put into your profiles on sites like this. It is also a good idea that you check the privacy settings on each site that you use to make sure you only share personal information with people you trust. Look after your paper statements Fraudsters use personal information from different sources to steal people's identities. Viruses are one way to do it. But they also use paper documents of your accounts containing personal details, such as receipts and bank statements. Fraudsters use many methods such as searching in dustbins to obtain these documents.You should take simple precautions to keep your details safe and to dispose of these documents safely. Understand how criminals use the internet Criminals are in it for the money. There are many ways for them to make money online:

Steal your passwords and bank details with viruses, fake emails and fake websites Ask you to provide security details Send spam with bogus offers and products Take over your computer and use it to attack other people's computers Use viruses to display unwanted adverts on your PC

We take your Personal Internet Banking security and privacy very seriously. Protecting yourself and your money takes a bit of know-how and the right software. 10

Avoid online fraud and con tricks When it comes to protecting yourself and your money on the internet be wary of ridiculous deals. Criminals may contact you by email, through websites you use, via SMS or even by phone. It pays to be on your guard as they can be quite convincing. Here are some warning signs:

Big promises: 'You have won the lottery' Big threats. 'Your account has been hacked' A false sense of urgency. 'Act now or it'll be too late' There is no reason for them to contact you. Did you even buy a lottery ticket?

If an attachment looks suspicious, don't open it. Don't install software unless it comes from a website you trust. If you suspect that there is a problem with your Personal Internet Banking, you can always talk to usfirst. Learn to spot fake emails and fake websites Criminals use fake emails and fake websites to con people into giving away passwords and bank details. For example, they might send you an email that looks like it comes from us and it might contain a link to a website that looks like this one. When you try to log on, they can steal your password. They are good at making their emails and websites look realistic. But you can often spot the fake ones:

Dodgy looking email or web addresses Poor design, typos or bad spelling They ask you to do something unusual A site doesn't display the padlock symbol in the address bar when you log in

If in doubt, check with us first. Avoid clicking on links in emails. A starting point on protecting yourself online is to use the software we refer to from this site. Rapport software and up-to-date web browsers block fake websites. Protect your mobile phone Your phone may hold lots of personal data - take care of it. You may even use it for internet banking and online shopping. You may want to think about:

Setting and using a security PIN code Adjusting the phone settings so that it locks automatically if you don't use it for five or ten minutes Not storing passwords or other sensitive information on your phone in a way that can be understood by someone else Not storing your home phone number and address under 'home' in the contact list Be wary of voicemail and text message scams

If you lose your phone report it to your mobile phone provider immediately. Make a note of your phone's IMEI number (dial *#06# to get it). This will make it easier for your phone company to disable a stolen phone.

11

03. HSBC Security recommendations Microsoft Security Essentials McAfee Trusteer Browsers Microsoft Security Essentials Microsoft Security Essentials helps provide real-time protection for your home PC that guards against viruses and other malicious software. It is simple to install, easy to use and always kept up to date. It's free to anyone with a genuine copy of Microsoft Windows. McAfee We have teamed up with McAfee to offer our Personal Internet Banking customers access to free security software for 12 months. It automatically blocks, cleans and removes viruses from your PC and it monitors internet activity, looking for suspicious applications and data. It includes McAfee Site Advisor, which warns you about harmful websites. Trusteer Trusteer Rapport adds valuable security when you log on to HSBC Personal Internet Banking. It checks that you are using the real HSBC website and not a fake. It locks down the link between you and the bank so that fraudsters can't listen in. Finally, it blocks all known viruses that target online banking. Rapport doesn't replace your Personal Internet Banking security details or other protection such as anti-virus software. It works with them to add extra security. Browsers You use a web browser to look at websites. It's the doorway to the internet. Examples include Microsoft Internet Explorer, Google Chrome, Apple Safari or the software that is showing you this page now is your current web browser.The latest browsers have security features that block fake websites and protect against some viruses. If you are not with the latest, you may want to get the new browser software immediately and update it regularly for maximum protection.

References
[1] http://www.hsbc.co.uk/1/2/security-centre [2] http://www.hsbc.com/1/2/online-security [3] http://en.wikipedia.org/wiki/Information_security

12