Upload
others
View
25
Download
0
Embed Size (px)
Citation preview
Amadeus Selling Platform
Connect & IT Security
Guidelines
Information Security
Sep 2020
IT Security Team
Last update: 15/SEP/2020
Page 2 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Contents
Introduction ................................................................................................. 3
Amadeus Selling Platform Connect Security ...................................................... 3
Amadeus and Travel Agencies Security Responsibilities ...................................... 3
Selling Platform Connect Designed with Security in Mind .................................... 4
Fraud .......................................................................................................... 8
What to do in case of Fraud? .......................................................................... 8
Information Security ................................................................................... 11
Tips for Keeping Internal Fraud Incidents at Bay – Agency ............................... 12
Tips for Keeping Internal Fraud Incidents at Bay – Employees .......................... 12
Password management ................................................................................ 14
Amadeus Selling Platform Connect Password Policy ......................................... 14
Drive-By-Infection....................................................................................... 15
Strong Passwords ....................................................................................... 15
Best Practices to Protect your System ............................................................ 17
Conclusion ................................................................................................. 18
IT Security Team
Last update: 15/SEP/2020
Page 3 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Introduction
The protection of information and information systems from unauthorised access, use, or disruption
required to have good work practices that comply with the security policies for minimise breaches.
Amadeus commitment to information security is to protect its products and customer data according
to relevant laws and regulations, contracts and risk assessments.
Security is a shared responsibility between travel agencies and Amadeus.
Amadeus Selling Platform Connect Security
Amadeus ensures that its core systems and applications proposed to travel agencies are compliant
with stringent external and internal security standards.
Travel agencies should ensure that their systems and processes and properly secured to protect
their business from fraud attempts.
General
Amadeus Security Policies and Standards that are implemented with a proper governance, ensure
that all Amadeus and Customer assets are adequately protected according to latest laws and
regulations.
For product development, Amadeus Secure Development Lifecycle (SDL) specifies mandatory
controls to be implemented at each stages of the development and provides formal security
deliverables.
Regular external audits are conducted on Amadeus internal environment to prove, maintain
compliance and certification with:
_ PCI DSS (Payment Card Industry Data Security Standards).
_ SSAE16 – SOC1, which is an American auditing standard that provides guidance on
auditing method to evaluate the impact of security on overall company’s financial health.
_ ISO270001:2013, a framework of policies, internal standards, and procedures that
includes all legal, physical and technical controls involved in an organization's information
security risk management processes.
Amadeus and Travel Agencies Security Responsibilities
Amadeus’s Security Responsibility:
_ Amadeus shall ensure proper information security protection mechanisms and controls
implemented in the products that are offered to the Travel Agencies.
_ Amadeus shall ensure that audits, vulnerability assessments, penetration testing, risk
assessments and compliance with local laws, regulations and international standards
mentioned previously are performed on an ongoing basis on the products.
IT Security Team
Last update: 15/SEP/2020
Page 4 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Travel Agencies Security Responsibility:
_ Travel Agencies shall ensure that their systems and processes are properly secured to
protect their business from any unauthorized access and fraud attempts. Ensure that
local users have access to the IT Systems based on roles and job description.
_ Phishing or social engineering threats can be prevented by local employees’ awareness
trainings and email filtering protections.
_ Travel Agencies shall ensure that patches and keeping the systems up to date (Operating
systems, updated applications including browsers and anti-virus, etc.) are being
performed.
_ Ensure that there is a password management standard that enforces the baselines of
having a strong password.
_ Travel Agencies shall ensure that they have a proper incident management that includes
a formal incident reporting process.
Failure to comply with those basic principles by travel agencies will cause any data breach
associated risks, Amadeus won’t be held liable in case of fraudulent activities.
Selling Platform Connect Designed with Security in Mind
Sell Connect Architecture
_ Authentication and authorization mechanisms at the heart of the application.
_ Inactivity time-out and re-authentication.
_ Systematic logging of activity through built-in analytics.
_ Concealment of credit cards data in all flows.
_ Included in PCI DSS audit scope.
Sell Connect is developed using a methodology which includes security
requirements at all steps of the cycle, from design to final implementation:
_ Threat Modelling
_ Security code reviews
_ Automated vulnerability scans
_ Penetration tests
_ Mandatory trainings on secure coding and testing
_ Supported by a security champions (white hats) network
IT Security Team
Last update: 15/SEP/2020
Page 5 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Selling Platform Connect User Authentication Principles
Selling Platform Connect is compliant with current Amadeus corporate security policies, in particular
the one stating that any access to travel agent reservation platforms over the Internet must be
protected by Strong Authentication.
The current solutions to implement this requirement are:
_ Cookie-based Two Factor Authentication. It is based on an out of-band one-time
password delivered via SMS or email.
_ DDNA – Digital DNA.
Those solutions increase the strength of the authentication with a minimal impact on the users.
Selling Platform Connect Two-Factor Authentication
The travel agent needs to login with Two Factors:
_ Something he knows: password
_ Something he has.
1. A unique usage code sent to a mobile phone or an email address.
2. An already-used browser (cookie)
3. A specific computer (desktop/laptop)
Recommendations:
_ TFA (Two-Factor Authentication) is recommended when connecting over any type of
connection (leased line or internet)
_ Amadeus proposes following 2 options to implement TFA:
_ Internet browser based
_ Hardware footprint
Two-Factor Authentication: Internet Browser Based
_ The second authentication factor is a One Time Password (OTP) sent via SMS or email
to a given email address or phone number.
_ This password (PIN) is stored at workstation in a specific Amadeus cookie and passed
at logon time to the application to check access rights.
Limitations:
_ Period of validity of the PIN is not limited as long as they are in use. Unused PINs are
deleted automatically after 30 days,
_ If the cookie is not cleaned then the PIN will be still valid
_ If the workstation is compromised and the TFA is sent by mail to the infected machine
IT Security Team
Last update: 15/SEP/2020
Page 6 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Two-Factor Authentication: Hardware Footprint (DDNA)
Digital DNA = a DNA for a physical device
As the DNA is unique for humans, Digital DNA is unique for devices (Laptop, Desktop, USB key)
The computer becomes the second factor of authentication: uniqueness is achieved by the
computation of a hash of device attributes that is unique and do not change over time or usage
(accessible only from an installed plug-in)
DDNA is a proof of device ownership: allows to build a “something you have” authentication factor
There are 2 options to enroll a workstation to DDNA:
_ An admin enrolment flow: the user must contact the administrator to get his/her device
registered.
_ A self-registration flow: at login time, in case the device is not recognized, the user
receives an OTP to register the device by him/herself.
Note you can use Amadeus Selling platform connect form the restricted terminal
Limitations:
_ The Portability Control will force a travel agent to only work from devices that are
registered with her/his LSS credentials
_ Self-registration can only be done for one workstation at a time and do not support
USB stick yet.
Frequently Asked Questions for TFA
1. TFA is based on the utilization of cookies. Do cookies have an expiration date?
➢ It all depends on the client‘s browser security policy. Some companies may setup a cookie
clean-up process, otherwise the cookie stays on the client computer. Any company who
sets a browser to automatically clear cookies at exit time can also configure it to exclude
Amadeus cookies by setting Amadeus as a trusted site.
2. If the cache is cleared will it delete the cookie and the user will be sent an OTP again?
➢ Indeed, if no cookie is recognized, a new One Time Password (OTP) is send.
3. If the user receives an OTP (SMS or email) and they do not action, how is the OTP reset?
➢ This OTP is valid for a limited time period. To reset it you need to retry to log in on the
product.
4. How long does the user have to wait for the SMS or the email?
➢ 15 minutes. In case the agent does not receive any notification email within 15min,
please contact Amadeus helpdesk
5. How many OTPs can be allocated?
➢ A new unique OTP is generated each time a user tries to access the product from an
unknown location.
IT Security Team
Last update: 15/SEP/2020
Page 7 of 18 amadeus.com
© 2
020 A
madeus G
ulf
User Traceability - Amadeus Single User Session
The Single User Session functionality ensures that 2 (or more) agents cannot sign in Selling Platform
Connect at the same time by using the same username.
This product feature is critical for the application to comply with Amadeus security policy, allowing
in particular an optimised user identification and traceability. It applies to both production and
training environments.
Note that the Single User Session is defined by default.
Accessing Selling Platform Connect via the Amadeus network (LAN-to-LAN VPN)
Amadeus offers the travel agency to access its system and applications through Amadeus private
intranet.
This solution mainly consists in connecting the travel agency’s intranet to Amadeus intranet, which
is particularly adapted to big size Travel Agencies who already have their own secured intranet.
Office ID Security Settings
No specific LSS security settings exist at the office level. All security parameters are managed via
the ASM (security web interface) by the Affiliate.
Affiliate – together with the Travel Agency – should review periodically existing EOS agreements to
ensure that they correspond to the exact need of the agency.
Office Setting:
_ Travel agencies may consider to restrict the ticketing capability to only a selected number
of people hence reducing the risk of fraud. This can be done in User Group definitions.
IT Security Team
Last update: 15/SEP/2020
Page 8 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Fraud
Fraud is an intentionally deceptive action designed to provide the perpetrator with an unlawful gain,
or to deny a right to a victim.
Fraud Scenarios
(*) Notes:
1. Via phishing, visiting malicious webpages, opening infected documents,
2. Often OTPs are sent to a generic mailbox. This account should not be shared.
3. Malware can install a Remote Access Tool (RAT) with capability to activate a
session if the workstation is not powered off. But fraudulent access - with this
credential - is only possible when legit T/A is not logged on.
If stolen credentials have rights to create additional accounts, the fraudster
can create a new account (or register a new device) and use them anytime!
What to do in case of Fraud?
By the Travel Agent:
_ Each affected agency should be advised to identify the compromised computer and
disconnect its network access.
_ To ensure all infections are eliminated, rebuild the computer from scratch, with a new
Operating System installation.
• Eventually get system image prior to forensic investigations in order to
determine root cause of the infection.
• Note: Scanning with an anti-virus product does not guarantee that all traces of
an infection have been successfully removed.
IT Security Team
Last update: 15/SEP/2020
Page 9 of 18 amadeus.com
© 2
020 A
madeus G
ulf
_ Report the case in details to the Amadeus IT Service Desk along with malicious actions
that were performed:
• Date and time of the fraudulent activity, list of all fraudulent PNRs, list of fraudulent
tickets, compromised account and/or sign, Office ID, Workstation IP.
_ Urgent actions to take: void or refund as many tickets as possible, in last resort contact
the airline to suspend e-ticket coupons to prevent the tickets from being used. This will
protect your revenue.
_ As per IATA requirements, cancel the flights and report the case to IATA or your local
BSP.
_ Report the case to local or national law enforcement, as appropriate to the country.
_ Once notified the Amadeus Service Desk will perform following actions (as per existing
procedure):
• Immediately lock the Amadeus User Account.
• Log an incident record to SMC Distribution
• Provide support to the customer to void, refund or suspend the tickets: this
must be done with the agreement of the Travel Agencies.
• The Travel Agencies must confirm the rebuild of workstation before a new
installation is executed.
• Investigate with the customer the root cause and collect associated
evidence.
_ Most credentials thefts or malware installation are done via phishing emails. Refer to
section “Travel Agency Security” for recommendations on how to avoid.
_ Hereafter an example of mail to warn Travel Agencies in your market:
We would like to inform you that phishing has taken place on some markets. In some cases the
attackers, impersonate Amadeus on email, attempt to infect computers.
We would like to advise you to take a couple of steps of caution to avoid being affected.
1. Amadeus never sends software updates via email.
2. Always verify that the sender email domain is correct.
3. Never open attachments or click on links in an email unless you are sure the action
is safe.
4. Please report suspicious emails by logging a case in Amadeus Service Hub.
5. You should run current anti-virus software in real time mode on all computers.
Please share those guidelines with all members of your agency.
IT Security Team
Last update: 15/SEP/2020
Page 10 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Travel Agencies Local Administration duties
Hereafter some best practices to consider:
● Delete unused accounts.
● Freeze accounts of users temporarily inactive (long sick leave for example).
● Use professional email addresses and phone numbers in the user account.
● Only maintain one single account per Travel Agent.
● And never – ever! - Share accounts and passwords.
An additional simple measure to limit the risk is to shut down the workstation during night
and on non-working days. So anyone is requested to shut down their workstation when
leaving the office!
Travel Agency Security
Most common cyber threats to Travel Agencies are social engineering attacks, especially Phishing,
which attempt to steal confidential data, to install remote desktop utilities & backdoors and to install
malware.
It is under the responsibility of the Travel Agencies to protect their own infrastructure.
A key part of this protection concerns travel agent awareness and training.
IT Security Team
Last update: 15/SEP/2020
Page 11 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Information Security
Information security is the practice of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of information.
Main cyber threats to travel agencies
IT Security Team
Last update: 15/SEP/2020
Page 12 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Tips for Keeping Internal Fraud Incidents at Bay – Agency
Tips for Keeping Internal Fraud Incidents at Bay – Employees
IT Security Team
Last update: 15/SEP/2020
Page 13 of 18 amadeus.com
© 2
020 A
madeus G
ulf
How did My Computer Get COMPROMISED?
Phishing
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords
and credit card details by disguising as a trustworthy entity in an electronic communication. Typically
carried out by email spoofing or instant messaging, it often directs users to enter personal
information at a fake website, the look and feel of which are identical to the legitimate site.
How to prevent Phishing (malicious emails)
• Never click on any links in an e-mail. Instead, use an internet search engine to find the web
site wanted, or manually type in the address of the site.
• Never respond to any suspicious e-mail requesting personal information. If a company is
requesting personal information about your account or are saying your account is invalid,
visit the web page and log into the account as you normally would.
• Finally, if not sure whether Amadeus is the true sender of the received e-mail, please contact
Amadeus over the phone or via a known support e-mail address to get confirmation before
any action is taken.
• Most Phishing-related risks can be avoided through awareness and training of employees.
IT Security Team
Last update: 15/SEP/2020
Page 14 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Password management
Recommendations
• Don’t share or communicate your passwords to anyone, NEVER !
• Don’t use generic passwords.
• Change password at least every 60 days.
• Create strong password:
o Use a unique combination of letters (mixing upper- and lower-case), numbers, and
symbols (special characters).
o Use at least 8 characters for your password, more is better.
o You must not use your Selling Platform Connect password anywhere else.
o Do not use the e-mail password, nor the network username.
o Do not use an easily guessed password, such as “p3ssw0rd”, or combinations of
adjacent characters on your keyboard.
o In general, avoid using the same password on multiple web sites, and make sure
your e-mail password stays unique.
o Never store any passwords in plain text anywhere and web browser, if needed use
a secure password manager.
Amadeus Selling Platform Connect Password Policy
• Minimum Length (Digits) : 8
• Enforce both alphabetic and numeric characters : Yes
• Enforce both lower and upper case : Yes
• Enforce Special Character : Yes
• Password Validity (Days): 60
• Maximum Password attempts (Digits) : 6
• Minimum Password history (Digits) : 6
IT Security Team
Last update: 15/SEP/2020
Page 15 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Drive-By-Infection
Recommendations
• Sometimes by just browsing a site can result in downloading and installing a malicious
program on the workstation:
• Avoid to visit non-professional related sites.
• Check that you are at the right website when downloading software or upgrades.
Even when using a trusted site, double check the URL before downloading to make
sure you haven’t been redirected to a different site.
• Keep your system up-to-date
• Windows security updates
• Updates for all other software (Browser, Adobe Flash player, JAVA, PDF reader, ...)
• Turn on the automatic updates feature if possible
• Always use up-to-date antivirus software.
• Use automatic update function.
• Don‘t surf the internet with Administrative privileges.
• Restrict access to some web sites.
Strong Passwords
Why a strong password?
Passwords provide the last line of defence against unauthorized access to your computer.
Weak passwords can be cracked in a very short time, even with a standard notebook.
A modern notebook can run 10 million cracking attempts per second!
Here are some examples for the time it would take a standard notebook/PC to crack
passwords with various lengths and combinations of characters:
However, the really bad guys use much stronger systems for password cracking.
IT Security Team
Last update: 15/SEP/2020
Page 16 of 18 amadeus.com
© 2
020 A
madeus G
ulf
They need less than a minute to crack an 8 character password.
As you can see in the table above, the length and complexity of the password are the deciding
factors. Follow the best practices below for generating difficult to crack passwords.
DOs:
• DO use passwords of at least ten characters (unless the system does not allow it). The
more characters, the more difficult a password is to crack. Length is key!
• DO use a combination of character types: Use numbers, lowercase letters, uppercase
letters and symbols in your password. (ex. XkeDZaJ6QG3E8!jKq3%yIOd3)
• DO change your password often: Change your passwords at least every three months.
DO NOTs:
• DO NOT use dictionary words: they are tried first by password crackers. If your password
is summertime, your server is probably already cracked.
• DO NOT use names of pets, people, places, events, etc.
• DO NOT reuse passwords
• DO NOT use adjacent keyboard strings: qwerty1234 is not a good password
How do I create a strong password?
Create your strong password by following these tips:
• Create an acronym from an easy-to-remember piece of information. For example, pick a
phrase that is meaningful to you, such as My son's birthday is 12 December, 2004.
Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
• Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember
phrase. For example, My son's birthday is 12 December, 2004 could become
Mi$un'sBrthd8iz12124.
• The best way: simply use a short sentence like this: iloveparisinthesummer. 21
characters means a huge number of possible combinations, very difficult to crack even for
professionals. To make it even more secure you can spice it up with some special
characters: iLoveParisinthe$ummer
How to remember my passwords?
We all have lots of passwords. We have to change them regularly and still be able to remember
them.
It is no problem to write them down, but Passwords should never be recorded in plain text.
If your job requires keeping track of passwords or other user credentials in documents such as Excel
or Word, then make sure you always use a password protected file that you do not call
“passwords” !
IT Security Team
Last update: 15/SEP/2020
Page 17 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Alternatively, you can use password managers. These are small programs in which you can
store your passwords safely. You then only need to remember a single password, the one you need
to open your password manager.
You can use KeePass for your password management and creating strong password. KeePass: http://keepass.info/
Never Ever Give Your PASSWORD Away.
No one needs your password! Ever! Not even an administrator!
Your password is your digital “identity”. Whoever uses your password is operating in your name.
Treat your password like the PIN number of your credit or debit card. Don’t share it with colleagues,
even when you’re on holiday.
Never give your password to any member of the IT department. No one – not even those working
in user services or the computer centre – needs your password to carry out their work.
If someone should ask you for your password, for example on the telephone, just reply: “I’m sorry,
I refuse to share my password” and report the incident to the helpdesk. Such requests are
generally dubious.
Best Practices to Protect your System
➢ Change Selling Platform Connect password to Complex
➢ Change your Email Password frequently with complexity by Monthly.
➢ Don’t keep your passwords in notes in the system.
➢ Never save the password in any browser.
➢ System Shutdown or Disconnect Network Cable after office hours.
➢ Un-Install PC Remote Access software like TeamViewer / Any Desk / any other.
➢ Select your Email Service Provider with Strong Password policy.
➢ Never open/reply to any email from unknown sources and do not open attachments
which seem suspicious.
➢ Your Password is your system Security – Never reveal to any one!
IT Security Team
Last update: 15/SEP/2020
Page 18 of 18 amadeus.com
© 2
020 A
madeus G
ulf
Conclusion
This document has discussed the most important, and often least understood, aspect of security.
The security policy:
A security policy establishes the expectations of the customer or user, including what their
requirements are for confidentiality, integrity, and appropriate management of their data, and the
conditions under which they can trust that their expectations are met.
Security is a shared responsibility
_ Amadeus is constantly monitoring the evolving threat landscape to proactively adapt
security measures when needed.
_ Amadeus Selling Platform Connect is equipped with a strong authentication mechanism
which helps validating the true identity of the travel agent.
_ Travel Agencies have a key role in securing their environment:
• Defining user access as per business needs (least privilege)
• Hardening Travel Agencies IT environment: Keeping all operating systems
and internet browsers up-to date and installing and maintaining a firewall and anti-
virus software.
• Educating travel agents on information security will reduce the risk of fraud and
cyber-attacks.