Upload
madmagga
View
33
Download
2
Embed Size (px)
Citation preview
HUMANS The Weakest Link In Information
Security
GROUP 4Amol Darvekar (D021)Saurabh Dhole (D023)Hemant Negi (D039)Nagaraju Oruganti (D041)Subba Reddy P (D042)Harsh Shethia(D057)
Security
Need for Information Security
Source: http://www.netfast.com/xq/asp/id.1365/p.5-6-1/qx/PressRelease_view.htm
Banking
Source - http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementTheWeakestLinkInInformationSecurity.htm
Bank of America
Source: http://en.wikipedia.org/wiki/Bank_of_America
Previous Controversies
Introduction
• Businesses spend a significant portion of their annual information technology budgets on high-tech computer security
• But the firewalls, vaults, bunkers, locks and biometrics can be pierced by attackers targeting untrained, uninformed or unmonitored users
• This makes human link the weakest link in the information security systems
What is Phishing?
• A scammer creates a fake version of a web site, then lures victims to it with authentic looking e-mails
• The sole purpose of the fake site is to trick victims into entering their secrets – user names and passwords
• Attackers sell the captured secrets or use them to steal directly from their victims
Problem Definition
Site Key as deployed by Bank of America, does not provide appreciable protection from typical phishing scams
AS – IS Analysis
•A new login protocol-”Sitekey” product by Menlo Park,for its online banking customers
Benefits of Product:•Reassuring customers that they are
entering their user names and passwords into a real BofA web site
•Thwarting unauthorized access to accounts
Source: http://cr-labs.com/publications/WhySiteKey-20060824.pdf
What is Sitekey
Definition: It is a web-based security system that
provides one type of mutual authentication between end-users and websites
Purpose: To prevent Phishing attack by acting as
an authentication
Source: http://en.wikipedia.org/wiki/SiteKey
Sitekey Screenshot
How does Sitekey Works?
Circumventing Sitekey Authentication
TO-BE Analysis• A widespread education process to be implemented to
inform customers about the phishing attacks, how to identify them, and how to avoid becoming a victim
• A technological component has to be added by the bank to its customer-education initiative
• Introduction of a technology solution that would identify phishing attacks, provide around-the-clock monitoring, and provide real-time alerts
• Requirement of real-time fraud/threat detection with minimal impact to user experience, easy-to-use tools for forensic analysis, and a 24x7 dedicated anti-fraud cybercrime operation
• Security solution that can protect the cookie containing login authentication details of Bank of America from phishing attacks
Business Solutions(IT)RSA Securities Inc. Solution:• This technology service is designed to stop and
prevent phishing attacks that occur in the online channel
• FraudAction offers complete fraud protection and includes 24x7 monitoring and detection, real-time alerts , countermeasures, and site blocking and shut down
• In case of phishing attack, FraudAction enabled Bank of America to shut down , overseas web site within 1.22 hours.
Source: http://www.rsa.com/products/consumer/success/11639_LRGBNK_C_0212.pdf
Other steps taken by Bank of America:• Avoiding claims that web page with SiteKey
is legitimate• Not storing the persistent challenge-bypass
token until the user has logged in completely
•Limited the number of bypass tokens that can be active for a single account. Make the transfer of a token from one computer to another a big deal
Impact - SWOT Analysis• Strengths: Effective firewall protection, password
configuration/settings and information transfer protocols.
• Weaknesses: The typical weaknesses of this solution come in the form of laxity on part of customers and employees, lack of adequate education of the working of the system etc.
• Opportunities: The solution provides the bank with the opportunity to reduce the instances of phishing, limit the losses due to phishing, improve customer satisfaction, maintain brand reputation etc.
• Threats: The loyalty of employees is important for this solution to be feasible. Disloyalty on part of employees can undermine the effectiveness of this solution
Challenges
•Resistance to change by the employees•Missing the human element of the
security•Implementation of the new technology•Overeducating employees •Lack of consistent communication•Lack of commitment from management•Lack of resources
Cost-Benefit Analysis
Business Vendors
The Case - Oriental Bank of Commerce•The bank offers features such as internet
banking, phone banking NRI banking •Phishing site spoofed the login page of the
bank•Fraudster stole the credentials of the user•Hackers sent mails from
[email protected] and [email protected]
Source: http://www.symantec.com/connect/blogs/phishing-attacks-indian-banks-rise
An Example of the Phishing Email is below:
Anti-phishing solutions
•24x7 Proactive monitoring & detection•Domain Monitoring•Abuse Email Forwarding•Evaluation and verification of potential
phishing threats•Rapid incident response web site takedown•Continuous monitoring of phishing URL's•Reporting and Forensics portal access•URL inclusion in Global Blocklists.
Data Breach
•Internal IT specialist leaked data to sell client data to Lebanese banks
•24000 clients affected•Largest in HSBC history
Source:http://www.esecurityplanet.com/news/article.php/3870071/HSBC-Confirms-Massive-Database-Security-Breach.htm
Previous Instances• In 2005 – credit card information leaked
through ‘General motors’ Master Card of over 180,000 customers.
• In 2008 – bug in imaging software• It revealed personal information of clients
going through bankruptcy proceedings• British Financial Services Authority imposed
a fine of around 5 million dollars• Largest fine ever to a banking institutionSource : http://www.msnbc.msn.com/id/7501064/ns/technology_and_science-security/
t/warned-credit-card-data-exposed/#.T3KXg9W87W0
Enhanced security Systems
•A new security device•Two step authentication process- 1) Personal username and password
2) Device generated security code valid only for 30 seconds
•Session automatically logs out after some time
•128 bit SSL Encryption
Enhanced Security Systems
•Secure Online Sessions (indications at the browser)
•Multiple Layers of Security•Multiple failed log in attempts will disable
online access unless personally contact helpline desk
Enhanced Security Systems
SSL Encryption Service Provider•BAMS Holdings
Most trusted and secure optionExtended validation128 bit to 256 bit encryptionInstallation checkerEasy Management
Future Scope
•A new generation of anti-phishing software as well as education to combat the more sophisticated ways of information theft
•Protection for Mobile Phones
•Stricter Laws
Conclusions•Consumers role plays active role in Self
Protection from Phishing Attacks•Online security systems work perfectly when
nothing is wrong (when they are not needed), and imperfectly at other times.
•Promoting high confidence in security methods that cannot always provide the advertised protections
•There is also increase the risk that overconfident users will be misled by criminals
Thank You