TelecomLive January-2019

Sebi Cybersecurity www.telecomlive.com 53 Telecom LIVE January 2019 authentication scheme may be used (hardware or software cryptographic tokens, VPNs, biometric devices, PKI etc.). In case of IBTs & SWSTs, a mini- mum of two-factors in the authentication aremandatory. 4. I n c a s e o f App l i c a t i on s installed on mobile devices (such as smartphones and tablets), a cryptographically secure biometric two-factor authentication mechanism may be used. 5. After a reasonable number of failed login attempts into Applications, the Customer's account can be set to a “locked” state where further logins are not possible until a password and authentication reset is performed via an out-of-band c h a nn e l v a l i d a t i o n , f o r instance, a cryptographically secure unique link that is sent to the Customer's registered e- mail, a random OTP that is sent as an SMS to the Cus- tomer's registered mobile number, or manually by the Broker after verification of the Customer's identity etc. 6. Avoid forcing Customers to change passwords at frequent intervals which may result in successive, similar, and enu- merated passwords. Instead, focus on strong multi-factor authentication for security and educate Customers to choose strong passphrases. Custom- ers may be reminded within reasonable intervals to update their password and multi- factor credentials, and to ensure that their out-of-band authentication reset informa- tion (such as e-mail and phone number) are up-to-date. 7. Both successful and failed login attempts against a Cus- tomer's account may be logged for a reasonable period of time. After successive login failures, measures such as Captchas or rate-limiting be used in Appli- cations to thwart manual & automated brute force and enumeration login attacks. the internet, or intra or inter organizational communica- tions. Strong transport encryp- tion mechanisms such as TLS (Transport Layer Security, also referred to as SSL) should be used. 2. For Applications carrying sen- sitive data that are served as web pages over the internet, a valid, properly configured TLS (SSL) certificate on the web server is mandatory, making t h e t r a n s p o r t c h a n n e l HTTP(S). 3. Avoid use of insecure protocols such as FTP that can be easily compromised with MITM attacks. Instead, adopt secure protocols such as FTP(S), SSH & VPN tunnels, RDP (with TLS). Application authentication security 1. Any Application offered by Stock Brokers to Customers containing sensitive, private, or critical data such as IBTs, SWST s , Ba c k o f f i c e e t c . referred to as “Application” hereafter) over the Internet should be password protected. A reasonable minimum length (and no arbitrary maximum length cap or character class r equ i r ement s ) shou l d be enforced. While it is difficult to quantify password “complex- ity”, longer passphrases have more entropy and offer better security in general. Stock Bro- kers should attempt to educate Customers of best practices. 2. Passwords, security PINs etc. should never be stored in plain text and should be one-way hashed using strong crypto- graphic hash functions (e.g.: bcrypt, PBKDF2) before being committed to storage. It is important to use one-way cryp- tographic hashes to ensure that stored password hashes are never transformed into the original plaintext values under any circumstances. 3. For added security, a multi- f a c t o r ( e . g . : two - f a c t o r ) irrespective of their responsi- bilities, technical or otherwise. It is infeasible for certain per- sonnel such as System Admin- istrators and developers to not have privileged access to data- bases. For such cases, take strict measures to limit the number of personnel with direct access, andmonitor, log, and audit their activities. Take measures to ensure that the confidentiality of data is not compromised under any of these scenarios. 5. Use industry standard, strong encryption algorithms (eg: RSA, AES etc.) wherever encryption is implemented. It is important to identify data that warrants encryption as encrypting all data is infeasible and may open up additional attack vectors. In addition, it is critical to identify the right personnel to be in charge of, and the right methodologies for storing the encryption keys, as any compromise to either will render the encryp- tionuseless. 6. Ensure that all critical and sensitive data is adequately backed up, and that the backup locat ions are adequate l y secured. For instance, on serv- ers on isolated networks that have no public access end- points, or on-premise servers or disk drives that are off- limits to unauthorized person- nel. Without up-to-date back- ups, a meaningful recovery from a disaster or cyber-attack scenario becomes difficult. Data transport security 1. When an Application trans- mitting sensitive data commu- nicates over the Internet with the Stock Brokers' systems, it should be over a secure, encrypted channel to prevent Man-In-The-Middle (MITM) attacks, for instance, an IBT or a Back office communicating f r om a Cu s t ome r ' s we b browser or Desktop with the Stock Brokers' systems over