Security strategy Suggestions for AGRICULTURAL Bank on The Internet
From the system security guarantee, the client safety and client identification, transaction process and business process control etc to make the bank risk protection. 从安全保障系统上:客户端的安全性和客户身份识别,交易过程和业务流程控制等,建立银行的风险保障。
Set up a reliable system structure建立一个可靠的系统结构
Reliable system structure is the foundation to establish the safety system of the bank on the internet. 可靠的系统结构是网上银行建立安全系统的基础。AGRICULTURAL bank can set up multiple firewall between the Internet and online bank server, and each firewall uses different manufacturers products, set up different security strategy, and increasing filtering routers, create encrypted communications gateway server, increase the difficulty of the hackers attacking the firewall, and at the same time must effectively realize internal and external nets’ isolation and access control;
Adopt international advanced network safety testing software, 24 hour monitoring system all service activities, and regularly to do network system security analysis, so as timely discovery and correct existing weaknesses and flaws in the bank on the internet, and do network system security analysis, remedial measures and suggestions to enhance security strategy, reach the purpose of network security.
Strengthen the monitoring and audit. 加强环境监察及审核。
Audit is to record the process of users using the computer network system for all activities, it is an important tool to improve the security (Iain, 2007). It not only able to identify who visits the system, can also points out that how the system is to be used. To determine whether or not a network attack, the audit information is very important to determine problems and the attacking source. At the same time, the system of events record can more quickly and systematically identify the problem, and it is the important basis of accident treatment in the back stage. In addition, through constantly collection and accumulation and analyzing the security of the event, selectively auditing and tracking to some of these sites or users, so as to find or provide powerful evidence on the potentially destructive behavior. Therefore, online banking system in addition to use ordinary network management software and system monitoring management system, but also make full use of the present mature network monitoring equipment’s or real-time intrusion detection equipment’s, in order to real-time examination, monitoring, alarm and blocking in network on the passing in and out of the common at all levels of local area network operation, so as to prevent the attack and crime (Jaeques, 2004). And establish a detailed safety audit log, the relevant departments shall regularly to assess where may cause system fault interrupt or the various causes, and prior work out the corresponding disaster recovery plan.
In the development of the internet bank applications must have a clear distinction Web application layer, data communication layer and the data layer to ensure all levels of security policy independence; 在网络银行的发展中,应用程序必须在Web应用程序层、数据通信层和数据层有一个明确的区分,以确保各级安全政策的独立性Want to distinguish the client layer, the application layer and data service layer, it helps to refine safety risk, and it is easy to quickly analyze the causes and control in time and eliminate the threat when threatens occur.
System design must store the customer some confidential information, and can not store encrypted gold-digging in the database, for example, passwords used by customers in the internet bank, AGRICULTURAL bank must pass irreversible encryption algorithm store in the database, even if hacker enter the database system, get password fields, unable to decipher the original password.
The AGRICULTURAL bank should strengthen internal rules of construction, prevent operation risk and perfect moral risk occurs. In the development of software, the AGRICULTURAL bank can't depend entirely on the outsourcing company, key module should finish relying on the technical strength of AGRICULTURAL bank, and pay attention to the protection of intellectual property rights. When cooperating with the outsourcing companies, AGRICULTURAL bank must sign the security agreement with them.
Strengthen the safety control and client customer recognition加强安全控制和客户端客户的认可
In strengthening the safety protection of clients, AGRICULTURAL bank can cooperate with the renowned international companies.在加强客户的安全保护上,农业银行可以与国际知名公司合作Specifically for AGRICULTURAL bank to develop a special set of clients input controls replace traditional web controls, to prevent malicious programs normal keyboard events, access to capture users sensitive information, and obtain the input control in the protection of intellectual property rights, and through the additional input random verification code to prevent malicious program of violent attacks.
The use of advanced encryption authentication technology, to provide safe and reliable digital certificate, cancel the way now that can be made of hard disk storage of digital certificates and static trade password, introduce USBKEY for clients, compulsory promotion token and dynamic password card and so on more safe storage medium digital certificate. As the current domestic high-end online bank safety tools, USBKEY can easily put an end to viruses, Trojan horses, hackers and fake website means of fraud; Token and dynamic password card are equivalent to the online bank dynamic password, when customers in the use of the online bank, according to random password system to deal with the trade.
If can be based on fingerprint authentication, the authentication of the iris biometric identity authentication technology combined with digital certificate, it can better solve client safety problems(Jaeques, 2004).
To strengthen the management and control of certificate of customers.加强客户证书的管理和控制。
For example, when customers sign online banking business, AGRICULTURAL bank should leave their mobile phone number, when customer firstly download certificate using text messages to notify the customers, and after obtaining the customers’ mobile phone short message confirmation can complete certificate downloaded. Mobile phone can also be used in some transfer payment transactions, the large amount of trade confirmations, even if the criminal through illegal means get customer password, trade password and certificate and other information, neither can complete transfer and large pay.
The client design should increase some customers’ personalized settings, to help customers to recognize the fake site, for example customers can according to their needs set up web elements; Set some personalized private information shown on the website; Customers according to their own risk bear ability set certain transactions in need of extra password control, such as backup certificate, large transfer, etc.; Still can provide customers in the counter to set close transfer function, which only transfer between the several accounts, if criminals obtain customer password and certificate information, also unable to transfer.
Enterprise online banking business should strengthen the management of licensing models.企业网上银行业务,应加强许可模式的管理。
When clients deal with the online bank transfer payment, group fund management and other kinds of important business, the amount in different range set different authorized combination(Jaeques, 2004). The purpose of setting the business license pattern is to differently manage the important business and general business, big trade and small trading and implement different levels of the authorized control mode. Also can put the ideas in personal control of safety innovation, that is the client may, according to their own needs, set up authorization roles, for example, both sides of husband and wife can inter-authorize, but this way will increase the complexity of customers to use, can only as customers personalized function setting to offer to the customers.
Also, given most of the customers are due to a lack of computer related knowledge, they knew very little about preventing the virus, so they will be attacked by network fishing virus software. Head office can cooperate with the well-known virus software development company, to achieve genuine virus software discount purchase price to provide to AGRICULTURAL bank customers. The software will enjoy to buy the anti-virus software all of the client's right, related training, regular upgrades, after-sales service, etc.
Strengthen the safety consciousness加强安全意识
To take several channels, variety way for customers safety training and customer common sense training to form a good habit: don't open the e-mails unexplained and with accessories. 要采取多种渠道、多种方式为客户提供安全常识培训和客户培训,使其养成良好的习惯:不要打开原因不明的和装饰性的电子邮。When need to browse the web sites of the bank, the customers should in the browser's web site input the bank website, or will the real website records in the clip on the inside, login it and the use of online bank account as far as possible, when inputting password use the soft keyboard system provides (Jaeques, 2004); Choose the password which is not easy to guess, do not use birth date, telephone number or commonly used name; Don't tell anyone about the password, and avoid writing them in the diary or in the computer; the password should not used for other service excep for the online bank; online bank password and account transfer payment password should be of difference, and regularly changes password (Iain, 2007); Don't in public places (such as Internet cafes, public library, etc) use the online bank, in the time of using the online bank, click “end” button to finish logged on and use, and download and install client security controls, download and install the latest regular operating system and web browser security program or patch, install a personal firewall, and update antivirus software: examine regularly transaction records, grasps the account changes; alert email link, etc.; make full use of the news media to publicize the internet security risk to the public, tell the public how criminals use the bank on the internet to steal the clients' money, improve customer recognition authenticity, risk prevention ability.
To strengthen hackers’ technical and anti-virus research, strengthen between banks, bank and public security department and anti-virus vendors collaboration and communication, to grasp the latest Internet crime dynamic and virus information in time, take effective measures of protection. Such as inform client antivirus programs, to upgrade the VIP customers can provide door-to-door service, etc.
To establish network bank risk compensation system要建立网络银行风险补偿制度
Taking effective measures to enhance customer’ confidence on use the bank on the internet.采取有效措施,以增强客户使用网上银行的信心。Customers in the use of the bank on the internet will occur some losses without fault in the process, bank should firstly compensate, in order to eliminate the customers concern. Risk compensation scale, can consider 1% of the bank on the internet income a year, the total direct provision to 50 million yuan scale after rolling to fill carry. To understand, bank of America pays$70 million each year, CMB sets up 100 million risk reserve funds. AGRICULTURAL bank should make the convenient and fast compensation examination and approval procedures, ensure rapid compensate, prevent the media hype, or cause a bad influence.