Upload
berniece-whitehead
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Securing the Digital Terrain
CISO,Networks &
Telecommunications e-Security
Introduction Shamiel Bhikha
Security Expert & Consultant, Author, Chief Security Advisor39 yrs., married, 2 Kids26 yrs. in IT15 yrs. in Security Networks, Internet, Security, Computer & Network Forensics, Lawful Interception, Cybercrime [email protected]
Introduction• My ongoing international work with law
enforcement agencies and governmental services has given me a solid reputation in cyber crime analysis, unwanted communication behaviour and targeted monitoring of activities and individuals. As a trainer for agencies in law enforcement, I have trained several organizations in Central and Eastern Europe, the Arab world, Africa and Asia.
• I’m a member, founder and co-founder of several European and German security initiatives like EICAR, CTOSE (European Commission), KOSIB and others.
Electronic Security/Identification
DEADEA
RSARSA
PKIPKI PEMPEM
RARA
DESDESP
KC
SP
KC
S
Asymmetric
AsymmetricSymmetric
Symmetric
KD
CK
DC
MSPMSPX.5
09X
.509
SHASHA
DSA
DSA
RCARCA
DACDAC
CRLCRL
MACMAC
MIC
MIC
MD
CM
DC
Hash ValueHash Value
SSLSSL
What t
he %&@*#
*
are
they ta
lking about
5
Introduction - Before Nigerian Payment Systems • Long queues in banking halls
• No banking services after close of business
• Physical presence required for all banking transactions
• High security risk associated with cash handling
• Absence of self service banking
• Cumbersome process of transferring funds
• High cost of cash management
• Heavy reliance on the use of cheques /drafts
• Long turnaround time for processing transactions
Introduction• The payments system plays a very crucial role in any economy, being the
channel through which financial resources flow from one segment of the economy to the other. It, therefore, represents the major foundation of the modern market economy - the Monetary Policy role, the financial stability role and the overall economic role.
• Due to its importance, the Central Bank of Nigeria put in place a set of National Payment Systems (NPS), policy objectives as a broad guideline and framework for all payment systems initiatives:
– to ensure that the system is available without interruption,
– to meet all users' needs,
– to operate at minimum risk and reasonable cost.
• For the past ten years the Central Bank of Nigeria (CBN), in collaboration with the Bankers Committee, launched the first major initiative to modernize the payments system.
• Electronic Channels in Banking are the channels through which customers are served other than through the traditional banking which include the use of:
1. Automated Teller Machine (ATM)2. Debit Cards3. Credit Cards4. Point of Sale Terminal (POS)5. Paydirect6. Etransact7. Corporate Pay8. Kiosks 9. Webpay10. Internet Banking11. Telephone/Mobile Banking12. SMS Banking
Types of Payment Systems
9
Why Banks are embracing Payment Systems today?
• To encourage self service banking
• To displace cash/cheque payments
• To protect and grow customer base
• To deepen customer relationships and increase loyalty
• To provide a defense mechanism against competition
• To reduce queues in our branches
• To increase profitability (long run)
Circular To All Deposit Money Banks
• Cheque splitting• Burden on AML application
• False positives• Reviewing/collation time
• Anticipated increase in cheque consumption rate/cheque requests
• Volume in clearing centers • Cost of producing cheques• Cloning of cheques• Turn around times/penalty charges• Increase usage of Payment Systems
• And so on …………
Identified risk issues
• Transactions must be tied with Teller’s till balance• Collections through payment systems must be remitted quickly• Prevention of logon from another bank’s collection website• Tellers must not compromise their user id, password & PIN • Reduction of Transaction Limits• Efficient Investigation & Reconciliation team to review reports• Controlled User Security Management – Admin rights/privileges• 24/7 Call Centers to block/hotlist cards (can this be automated?)• Default pin must be activated on card before cash loading• Installation of Camera on ATMs• Blocking of Phishing websites – safe list of websites• Good Record Management - KYC• Strong awareness campaign on associated risks relating to PIN compromise -
adverts in newspaper and pasting of posters in branches.• E-fraud forum• Implementation of Intelligent System to track fraud transactions
Control Measures
Drivers for Electronic Security/Identification
Electronic transactions and e-commerce requires identification business-to-consumer business-to-business consumer-to-consumer
National and regional legislation set their own requirements on the implementation of the electronic identification and related services
Convergence of open networks
e – Payment System• E-Payment: Exchange of Goods / Services• Contracting parties: Buyer and Seller• Fundamental principles: Trust and Security• Intermediaries:
• Direct (Distributors, Retailers)• Indirect (Banks, Regulators)
• Money is a medium to facilitate transactions• Attributes of money:
– Acceptability, Portability, Divisibility– Security, Anonymity– Durability, Interoperability
e- Payment System• Automation of commercial transactions using
computers and communication technologies • Facilitated by Internet and WWW • Business-to-Business: EDI• Business-to-Consumer: WWW retailing• Some features:
– Easy, global access, 24 hour availability
– Customized products and services
– Back Office integration
– Additional revenue stream
e- Payment System Steps
• Attract prospects to your site– Positive online experience
– Value over traditional retail
• Convert prospect to customer– Provide customized services
– Online ordering, billing and payment
• Keep them coming back– Online customer service
– Offer more products and conveniences
Maximize revenue per sale
e- Payment System Participants
e- Payment System Problems
Snooper
UnreliableMerchant
Unknowncustomer
e- Payment System risks• Customer's risks
– Stolen credentials or password
– Dishonest merchant
– Disputes over transaction
– Inappropriate use of transaction details
• Merchant’s risk– Forged or copied instruments
– Disputed charges
– Insufficient funds in customer’s account
– Unauthorized redistribution of purchased items
• Main issue: Secure payment scheme
Why is the Internet insecure?
S
SS
C
C
• Host security– Client
– Server (multi-user)
• Transmission security– Passive sniffing
– Active spoofing and masquerading
– Denial of service
• Active content– Java, Javascript,
ActiveX,
A B
C
Eavesdropping Denial of service
A B
C
InterceptionA BC
Replay/fabrication
A B
C
Building TrustTrust is the foundation of any banking institution. And this year more than any other, that trust has been put to the test. From highly-publicized data loss cases at Countrywide and Bank of New York Mellon to outright failures of banks such as IndyMac - and then to the September swoon of Merrill Lynch, Lehman Bros. and AIG - 2008 has been riddled with numerous incidents that call into question institutions' abilities to protect their customers' financial and informational assets. At the same time, a younger, more tech-savvy consumer base is coming of age and demanding new, electronic banking channels. Institutions need not only to be able to serve these customers, but to recruit and retain them. Security can be a real competitive differentiator here, enabling institutions to demonstrate the lengths to which they'll go to ensure a safe, secure banking experience.
e- Payment Security• Authorization, Access Control:
– protect intranet from hordes: Firewalls
• Confidentiality, Data Integrity:– protect contents against snoopers: Encryption
• Authentication: – both parties prove identity before starting transaction:
Digital certificates
• Non-repudiation: – proof that the document originated by you & you only:
Digital signature
The customer relationship is everything
Protecting its clients and their assets is a huge responsibility - one that should be taken very seriously. Financial Institutions must uphold that commitment by making security and privacy a cornerstone of its business philosophy, and more importantly putting its money where its mouth is by investing heavily in addressing evolving online security-related needs.
It All Comes Back to Trust
Whether actually a victim, most individuals see themselves as potential prey to any number of electronic crimes, from an account take-over to credit card fraud or identity theft.
“Who could really blame them?”
“Just open any newspaper, and horror stories abound.” Among the recent headlines:
Phishing attacks on the IRS, enticing taxpayers to relinquish their account numbers in order to receive an early rebate.
The Hannaford retail data breach scandal in which malware re-routed credit card information to awaiting criminals. Countless new incidents of identity theft.
e - Payment• The regulatory framework for e-payments is further
evolving. Public authorities need• to reinforce overall consistent objectives, particularly
regarding safety, efficiency and• market integration. Currently the electronification of
payments is approaching another stage, which can be largely
• grouped around new business opportunities in electronic commerce that have arisen from the use of
• the internet
Security for e-paymentAccess Control (Authorization – Authentication – Boundary)Encryption (Cryptographic – PKI)Secure Communications (Physical Infrastructure)Management (Enterprise System & Security)Systems and Network Services (software validation)Business Continuity Management (disaster recovery)
New Opportunities - Comes
• On the Internet no-one knows you are a dog
• Internet banking infrastructure is cheap and easy tobuild.. Opportunity toleap-frog
• Open standards levelthe paying field
• Must work with newstandards
Advance Fee Fraud 419From: "Mr. Don Peter" To: undisclosed-recipients:;Subject: Dear FriendDate: Thu, 18 Oct 2007 08:39:10 -0400Reply-to: [email protected]
Dear Friend
It has been long we communicate last, am so sorry for the delay, I want to Inform you that your cheque of ($850.000.00) Which my boss asked me to mail to you as soon as you requested it, is still with me.
But due to some minure issue you fails to respond at the Approprete time, and presently the cheque is with me here in LAGOS-NIGERIA Though i had a new contact from a friend of mine who works with one security company here in NIGETIA that will deliver you your cheque at your door step with a cheeper rate, which the company said that it will cost you the sum of $198.00 usd, So you have to Contact them and register with them now.
29
Considering That Sample…
• The actual 419 scam sample you've just seen is so full of spelling and usage errors that it may be hard to believe that anyone would take it seriously.
• Yet we know that people do fall for these sort of 4-1-9 scams…
Enough with Theory, lets become live !
• Analysis Technologies by Visualizing data
• Context Analysis on eMail
• Profiling of Network Objects for Man Hunt
• Outperforming CyberCrime by thinking like your Enemy
• Precautions in Networks to prevent CyberCrime
• Tips, Tricks and Cases already happened !!
31
Security Breach Scenario
Security threats and targeted attacks are growing rapidly. Financial fraud and identity theft are on the rise. To meet evolving challenges you need to correlate log data with vulnerability, configuration, asset, performance and NBAD analytics.
DMZ
Mail Server
Web Server
UTM
Branch Office
Wireless
TransactionServer
Firewall IPS
Corporate Users
HQ
Domain Controller
Corporate Users
Router
AV/SPAM/Spyware
NetworkAttack
Port-ScanEvent
Failed Log Ins
Failed Log Ins
Failed Log Ins
Log In Success
Log In Success Config Changes: Root / Admin Access
Config Changes: Root / Admin Access
Install Rogue Application
Install Rogue Application
Data Theft
Data Theft
Switch
Hacker
Consequence = Lesson learnt !
• You need endpoint Security to get Triggers
• Triggers have to be correlated into an Information System, to recognize alarms
• Become ahead of CyberCrime by thinking like your Enemy
• Logical penetration tests are useful as they involve human factors
• There is no such thing as ROI on Security, or is there a ROI of an unused Fire Extinguisher ?
The different point of View
• Security is a strategy & process, perfectly supported by SIEM.• Think like your enemy ! Reduce the possibility of Security breaches by the
most comprehensive Security Information & Event Management • Reduce the Workload through Security Information & Event Management • Expect the unexpected, strong Content, Border and Endpoint Security by
Threat Management protects you from surprises !• I don’t know what I don’t know ! With Network Forensic you will !!• Security is the ART to open systems in a way, that they are perfectly close ! • Security without enough SIEM is like:
Finding a needle in a haystack, without knowing which color the
needle has and in which barn the haystack is !• Identify before you let someone Access anything!!
Secure end to end protocols
Networks and distribution channels are converging
Banks Telecoms Public authorities Retail Media enterprises
CONVERGENCE
Services, products, content
Security/Identification Services
Integrity - Guarantees that information content has not been tampered with, altered, or revealed indiscriminately.
Privacy/Confidentiality - Protects sensitive information, protects confidences and secures trusted transactions financial and otherwise.
Authentication - Verifies user identity. Non-repudiation - Assures originator cannot disavow
a transaction and enables use of trusted, binding transaction receipts based on identity and/or role.
Access Control - Controls user access to information.
On the Internet nobody knowsthat you are a dog!
The challenge and the solution
? ?
LIMITED PHYSICAL SECURITY ELEMENTS IN THE PAYMENT MEDIAS
The solution is PKI - i.e. Public Key Technology integrated into Business Applications
OPEN AND INSECURE CHANNEL
NO MEANS FOR PHYSICAL AUTHENTICATION
TRANSACTIONS ARE OFTEN EXECUTED IN REAL-TIME
Why PKI?To put it simply, the PKI framework will provide the electronic counterpart of a signature which in the physical world serves to authenticate and authorize transactions and ensure non-repudiation from a legal standpoint. The PKI Framework will also address the secure transportation of that instruction.
The planned widespread deployment of e-payment solutions to improve service delivery, interaction and transaction between G2G, G2B, G2C,B2B,C2B companies will require:
secure e-mail, DMScross-institutional use of secure web servers / databases, access control, etc
To encourage online transactions, stakeholders (businesses, agencies, citizens, etc) must be assured of trust value
PKI is the solution
PKI (Public Key Infrastructure) provides a high security and well-manageable solution for the listed security requirements
PKI enables strong authentication, digital signature, non-repudiation, integrity and confidentiality
PKI is a (de-facto) standard the same as: SET - e-commerce EMV - debit and credit cards Internet security protocols Electronic ID/Health cards (Finland, Germany, Italy,
France, …)
Benefits• Typical applications are e-mails, chip card applications (GMPC), online value exchange (debit / credit cards) ID, Citizen ID systems (Passports, Driver’s license), Ticketing, etc• Forms part of the overall data and information security strategy to provide the comfort and confidence to move from face-to-face systems and transactions to the online arena• Identity Assurance – it allows for identification of entities• Reduces risk• Reduces transactional processing expenses• Enhances efficiency and performance of systems and networks• Reduces the complexity of security systems• Allows distribution and use of security mechanisms – keys and certificates – with integrity
RA - Registering Authority
CA - Certification Authority
CRL - Certification Revocation List
RA
CA CRL
User User/Server
Private Key Public Key Private KeyPublic Key
Signature
Message
Signature
Message
Send message
Public Key Infrastructure
Encrypt
Decrypt
Validate
Public Domain
Opportunities
+ Federal IT regulation continues to expand: SOX, GLBA, HSPD-12, FFIEC
+ Most regulations speak to authentication, data integrity, and audit trails
+ Non-Compliance = Shutdown or Penalties
Compliance
+ Continued drive towards online models
+ Increased public awareness of security threats
+ Operational costs related to security breaches
+ Public security breaches = Lost Customer Confidence
Risk ManagementPartnerships and Mobility
+ Ubiquitous access
+ Partner Integration
+ Internal and external self service
+ Opening networks = More complex exposures
Market Response
• Authentication– Prevent unauthorized access through enhanced
authentication– Primary integration points: Web app, remote
access, desktop logon, and wireless
• Encryption– Protect sensitive information whether data is in
transit or at rest– Primary integration points: Email, disk, file/folder,
and databases
• Digital Signatures– Strengthen integrity and audit potential of
electronic transactions– Primary integration points: Email, Adobe, and
custom apps
Reality and Solution- The Reality
– In order to compete effectively, enterprises must open up their previously closed networks to business partners, customers, and their own increasingly mobile workforce. While greater levels of interconnection drive productivity, they also create more opportunities for exposure to risk. Government and industry regulation as well as stronger corporate governance are driving the adoption of risk mitigation strategies that include the areas of strong authentication and encryption.
- The Solution
– VeriSign operates a highly available and secure infrastructure that enables organizations to leverage VeriSign’s authentication and encryption services without the risk, effort, and expense of building out their own solutions. The VeriSign platform helps address business challenges and regulations around strong authentication and the maintenance of data confidentiality and integrity while allowing organizations to focus their efforts and resources on more strategic initiatives.
PKI Services
PKI/CASoftware & Hardware
PKI/CASoftware & Hardware
Risk and LiabilityManagement
Risk and LiabilityManagement
UserSupport
UserSupport
ApplicationEnablementApplicationEnablement
AuthenticationAuthentication
ApplicationConsultingApplicationConsulting
SecureInfrastructure
SecureInfrastructure
ServiceAvailability
ServiceAvailability
Policy &PracticesPolicy &Practices
A PKI requires: technology, people, facilities, applications, policy and procedures.
Thanks For the Chance To Talk Today
Are there any questions?
CyberCrime already hit your company, but you were not able to detect it !
The complete solution with SIEM to prevent being a Victim !
Presented to you by Shamiel BhikhaConsultant (Chief Security Advisor)
[email protected]+2347060671347 Nigeria mobile
Or +27796280186Worldwide mobile
End-to-End Security
Endless Possibilities