Page 40 - Digital Financial Services security assurance framework
P. 40
(continued)
Affected Entity Risks and vulnerabilities Controls
- Network exposure to outside attacks C100: DFS Applications should be subjected to regular
Third-Party, DFS (SD: Availability) security pentration scans and penetration testing. In partic-
Provider ular, applications should be designed to be robust against
phishing software.
The risks of installation of malware such C101: Keep mobile device OS updated regularly; do not
as spyware and trojans occur because of allow installation of programs without user validation.
the following vulnerability:
- No anti-malware or anti-virus soft-
ware is used or updated regularly (SD:
Availability)
The risk of remote code execution is due
to the following vulnerabilities:
- Obsolete device software (SD: Data C102: Mobile users should be encouraged to perform reg-
Confidentiality) ular security updates on their mobile devices used for DFS
transactions and ensure they are updated with the latest
security patches from device manufacturers and applica-
Mobile User tion providers.
- No anti-malware or anti-virus soft- C103: Install security software from trusted sources on
ware is used or updated regularly (SD: mobile devices including antivirus, anti-spyware, and soft-
Availability) ware authentication products to protect devices from cur-
rent and evolving malware threats
- User device tampering and rooting C104: Because a tampered or “rooted” device can poten-
(SD: Integrity) tially compromise the confidentiality, integrity, and privacy
of user data.
C105: The mobile app developer should ensure that DFS
applications are sandboxed, such that other untrusted
applications on the mobile device should not be able to
interact with the DFS application, and interaction with the
operating system should be limited.
The risks of inability to transact and ser- C106: Perform regular vulnerability scans and penetration
vice compromise occur because of the tests on MNO infrastructure to check exposure to attacks
following vulnerability: that could affect system availability.
MNO - Network exposure to outside attacks C107: Install and regularly update the latest anti-malware
(SD: Availability) software (if available) and make this available to end-us-
ers. Consider application wrapping, which can be employed
with an MDM (Mobile Device Management) solutions to
prevent and remove malicious software and applications.
8�14 Threat: Zero-Day Attacks
We consider this subset of malware threats specifically because traditional means of defending against malware
are ineffective against a threat that has not previously been seen.
Affected Entity Risks and vulnerabilities Controls
The risks of unauthorised access to con- C108: MNOs along with DFS providers and payment ser-
fidential user data and unauthorised vices providers should patch systems to the latest versions
modification of user data occur because provided by the vendor to defend against attacks that have
MNO, DFS pro- of the following vulnerability: been developed from older vulnerabilities
viders, and Third - Discovery of new exploits against C109: Providers and MNOs should have contingency plans
parties deployed systems and the inability to in place with vendors to quickly acquire patches and system
deploy solutions against these exploits remediation if a zero-day attack has been found in the wild.
(SD: Data Confidentiality, Access Con- Part of this strategy involves the proper use of backups.
trol, Availability)
38 Digital Financial Services Security Assurance Framework
