Current location - Quotes Website - Collection of slogans - What are the main aspects of physical security risks?
What are the main aspects of physical security risks?
.

In addition to the liquidity risk, interest rate risk, settlement risk, moral hazard and new financial instrument risk of traditional banks, online banks in China have also added some new risks under the network environment.

First, the risks faced by online banking in China

1. System risk

(1) Operating system risk. As the direct manager of computer resources, operating system directly deals with hardware and provides users with interfaces, which is the basis for the normal and safe operation of computer systems. Windows operating system has many security loopholes, while UNIX operating system is an open system, and its source code has been made public. According to the General Criteria for IT Security Assessment (CC Standard), a security assessment standard jointly formulated by the United States, the Netherlands, France, Germany, Britain and Canada, the security of Microsoft's Windows operating system and most UNIX operating systems only reaches C2 level, while the security level of online banking operating system should at least reach B level.

(2) Application system risk. There are loopholes in the design of network business system. At present, the network application software has the following security vulnerabilities: invalid parameters, invalid access control, invalid account number, cross-site script vulnerability, buffer overflow, command injection vulnerability, error handling problem, unsafe use of password system, remote management vulnerability, network and application software server configuration error.

In the process of design, we only pay attention to the design of "how the computer completes the task", and do not fully consider the program control or inspection during the operation. The system does not leave an interface for auditing, so it is difficult to conduct real-time auditing.

(3) Data storage risk. Risks caused by data access, confidentiality and hard disk damage.

(4) Data transmission risk. Risks such as being stolen or modified during data transmission.

2. Operational risk

The operational risk of online banking refers to the risk of direct or indirect losses caused by imperfections or mistakes in internal procedures, personnel and systems of online banking and external events. The reasons for operational risks are as follows:

(1) The operational risk awareness of online banking is weak.

(2) The responsibilities of the organization are not clear.

(3) The internal control system is imperfect or poorly implemented.

(4) There is no suitable online banking audit department.

3. Credit risk

The credit risk of online banking is mainly manifested in customers' malicious overdraft when using credit cards to pay online, or using forged credit cards to cheat banks.

4. Information asymmetry risk

Information asymmetry is manifested in two aspects, on the one hand, because online banking can't get enough customer information, on the other hand, because customers can't get enough online banking information. Information asymmetry makes it easier for online customers to hide their information and actions, and make behaviors that are beneficial to themselves and unfavorable to online banking, and also makes it impossible for customers to correctly evaluate the advantages and disadvantages of online banking.

5. Legal risks

China lacks corresponding laws and regulations on online banking and online transactions. Such as: how to collect online tax, whether digital signature has legal effect, cross-border issues of transactions, intellectual property issues, electronic contracts, electronic money issues, electronic transfer issues, etc.

Second, China's online banking risk prevention measures

1. Prevent system risks

(1) Physical security. Mainly refers to the security defense measures for key equipment such as computer equipment places, computer systems, network equipment and keys. In order to prevent electromagnetic leakage, power lines and signal lines should be equipped with filters to reduce transmission impedance and cross-coupling between wires, and at the same time play a role in radiation protection.

(2) The application of secure operating system technology. A secure operating system can not only prevent hackers from attacking the online banking trading system by using the loopholes in the operating system platform, but also shield some security loopholes in the application software system to some extent. The United States has developed various levels of secure operating systems, including DG UX B1B2 of Data General Company and HPUX CMW B 1 B2 of Hewlett-Packard Company. Major domestic scientific research institutions and companies have also developed high-security operating systems, such as SECLINUX security operating system developed by Information Security Engineering Research Center of Chinese Academy of Sciences and COSIX LINUX system developed by ChinaSoft. At present, the online banking system of China Construction Bank is based on the secure operating system platform, the hardware platform of HP9000 and the B 1 class secure operating system of HP.

(3) Application of data communication encryption technology. According to the communication level of encryption, the data stream in encrypted transmission can be divided into link encryption, node encryption and end-to-end encryption. In the case of a large number of links and low requirements for traffic analysis, "end-to-end encryption" is suitable. In the case of high demand for traffic analysis, the combination of "link encryption" and "end-to-end encryption" can be adopted: the message header is encrypted with "link encryption" to prevent traffic analysis, and then the transmitted message is encrypted end-to-end.

There are two main algorithms for data encryption: DES and RSA. DES belongs to private key encryption system (also called symmetric encryption system). Its advantages are high encryption and decryption speed, easy algorithm implementation and good security, but its disadvantage is inconvenient key management. RSA belongs to public key encryption system (also called asymmetric encryption system). Its advantages are good security and easy key management in the network. Therefore, a comprehensive encryption system combining DES and RSA can be adopted: data is encrypted by DES algorithm and keys are encrypted by RSA algorithm.

(4) Application system security. Application system security mainly includes the identification of both parties to the transaction and the confirmation of the transaction. In the online banking system, the identity authentication of users depends on the double check of digital signature mechanism and login password, and it can also be authenticated by automatic fingerprint authentication system in the future. Digital signature also ensures that the transaction instructions submitted by customers are undeniable. Public key infrastructure-PKI (public key infrastructure) is a good solution to the trust and encryption problems in large-scale network environment. At the same time, a secure electronic transaction protocol is adopted. At present, the main protocol standards are: Secure Hypertext Transfer Protocol (S-HTTP), Secure Sockets Layer Protocol (SSL), Secure Transaction Technology Protocol (STT) and Secure Electronic Transaction Protocol (SET), among which SET covers credit card transaction protocol, information confidentiality, data integrity and data authentication, digital signature and so on. , and has become a de facto industrial standard.

Strengthen the audit of application system development process and real-time audit of application system operation process.

(5) Applying database security technology. Apply access control technology, data encryption technology, hard disk partition protection technology, database security audit technology, fault recovery technology, etc.

(6) Applying firewall security technology. The fourth generation firewall integrates computer virus detection technology, proxy service technology and packet filtering technology, establishes and provides security services such as DES encryption, supporting link encryption or virtual private network, virus scanning, etc., and has the functions of real-time reporting, real-time monitoring, recording illegal login, statistical analysis and so on. When setting the firewall, cut off all TCP and UDP connections from 135 to 142, change the default configuration port, reject the PING message, and realize the packet filtering function by setting the access list filtering rules. The firewall dual-machine cold backup strategy is adopted. Conduct intrusion detection and regular vulnerability scanning.

2. Prevention of operational risks

Operational risks mainly come from banks. We should improve the internal control system of online banking, establish scientific operation norms and strict internal control mechanism, separate incompatible positions such as administrators and managers, programmers and operators, producers and executors, authenticate supervisors and operators with ic cards, and add passwords at the same time. Any access to the system must be recorded in the log.

Establish an operational risk management center, provide technical training for employees to prevent operational risks, supervise the implementation of various operational risk management systems, evaluate the operational risks of online banking, and take corresponding measures. Establish an operational risk emergency center, study the influencing factors of business, identify situations that may lead to business suspension, back up the system and regularly test the company's disaster emergency plan, and provide technical support and solutions for emerging security problems. Use insurance to offset those "low-frequency, high-hazard" operational risks. Establish an operational risk audit center to monitor and scan all online banking services in real time, and use audit records to audit business operators and computer system managers.

External operational risks, especially financial fraud in online banking, should not only monitor the retail business of personal services, but also strengthen the monitoring of enterprises logging into online banking, analyze suspicious fund transactions through data mining software, and prevent illegal fund transactions using the network.

3. Prevention of credit risk

Establish a nationwide user credit management information system, divide users into different credit grades, and take different management measures for different grades of users. Enjoy the customer information database, cooperate with other commercial banks, insurance companies and other non-bank financial institutions, banks and other financial institutions in the world, and record the customer's trustworthiness and breach of contract in time.

4. Prevention of information asymmetry risk

Establish information disclosure system to improve the quality of information disclosure. Fair information on online banking business activities and financial status audited by certified public accountants shall be published regularly, and information such as risks of online banking, measures for avoiding risks of online banking and protection of consumers' rights and interests shall be disclosed. Establish a social supervision system and conduct mutual supervision among online banks.

5. Prevention of legal risks

It is necessary to make full use of and implement the Interim Measures for the Administration of Internet Banking, make full use of the Contract Law, Accounting Law, Negotiable Instruments Law, Payment and Settlement Measures and other laws to draft relevant agreements on Internet banking, formulate relevant business processes and business handling regulations, and make full use of the regulations on the security protection of computer information systems, the Interim Provisions on the administration of international networking of computer information networks and other currently implemented administrative regulations on network security. Online banks should pay attention to the custody of transaction data and prepare evidence for possible disputes or lawsuits.

Establish a legal supervision system for online banking, formulate external punishment measures for online banking and exit mechanism for online banking market. Establish a legal system for online banking, such as establishing laws and regulations such as electronic banking law, electronic signature law and electronic fund transfer law, and at the same time enrich and modify existing laws and regulations. Improve the supporting laws and regulations of online banking, including tax collection and management law, international tax law, e-commerce law, criminal law, procedural law, negotiable instrument law, securities law, commercial banking law, consumer protection law, anti-unfair competition law and other relevant laws and regulations. Strengthen exchanges and cooperation with international legislation and judicial practice, and intensify the crackdown on online money laundering, online theft and other electronic crimes.

Related articles
  • Common faults of heat exchange station
  • How did apes evolve into humans?
  • How did Wei Yan die during the Three Kingdoms period?
  • The eight-character slogan of the sports meeting
  • What does the flower girl mean? What's the use?
  • What are the good team names?
  • History of Chengdu shierqiao Middle School
  • Planning scheme of small beer festival
  • I booked a plane ticket for Sichuan Airlines, and later I needed wheelchair support. Just put on the plane, Sichuan Airlines refused to live or die. What should I do?
  • What did you say to your girlfriend on New Year's Eve?

    • copyright 2024 Quotes Website All rights reserved