Page 27 - Digital Financial Services security assurance framework
P. 27
8 ASSESSMENT OF DFS SECURITY VULNERABILITIES, THREATS AND MITIGATION MEASURES
In order to systematically counter the threats and ties, risks, and suggested mitigations and controls
vulnerabilities to the DFS ecosystem described in that can be deployed by that particular entity. We
the above sections, we suggest controls for each of place the vulnerabilities in the context of their impact
the entities within the ecosystem based on the eight on the ITU-T X.805 security dimensions (SD).
security dimensions aimed at achieving end-to-end The diagram in Figure below shows how the secu-
security. rity threats identified earlier in Figure 9, are mapped
Because there are often commonalities in the to the 117 security control measures outlined in the
threats faced by entities throughout the DFS ecosys- sections below (the section number of the report
tem, for ease of discussion we first consider a stan- appears in parentheses indicating where the relevant
dardized threat that we have identified, the entity control is discussed).
affected by the general threat, and the vulnerabili-
Figure 13 - Mapping of threats to security controls
rd
User Mobile Device and SIM Mobile Network Operator DFS Provider 3 Party
card
M M Mobileobileobile
Deviceeviceevice
D D
SIM Card
q Social engineering q Code exploitation q Unauthorized access to q Attacks against q Code exploitation
(8.8) attack (8.4) DFS data (8.12) credentials (8.2) attack (8.4)
q Unauthorized q Malware (8.13) q Attacks against q Denial Of Service (8.6)
access to mobile q Compromise of DFS systems and platforms
device (8.16) q Unauthorized access infrastructure (8.9) (8.3) q Insider attacks (8.7)
to mobile device/SIM
q Unintended (8.16) q Insider attacks (8.7) q Code exploitation q Malware (8.13)
Disclosure of attack (8.4) q Unauthorized access
personal q Rogue devices (8.15) q Denial of service (8.6) to DFS data (8.12)
information (8.17) q Unauthorized access q Compromise of DFS
to DFS Data (8.12) q Man-in-the Middle attacks infrastructure (8.9)
(8.8) q Compromise of DFS
q Denial of Service Services (8.11)
attack (8.6) q Unauthorized disclosure of
personal information (8.17) q Data misuse (8.5)
q Malware (8.13) q Insider attacks (8.7)
q Account and session hijack q Denial-of-service
(8.1) attacks (8.6)
q Zero day attacks (8.14)
q Code exploitation attack
(8.4) q Unintended disclosure
of personal
q Data misuse (8.5) information (8.17)
Digital Financial Services Security Assurance Framework 25
