Securing the Digital Terrain

CISO,Networks &

Telecommunications e-Security

Introduction Shamiel Bhikha

Security Expert & Consultant, Author, Chief Security Advisor39 yrs., married, 2 Kids26 yrs. in IT15 yrs. in Security Networks, Internet, Security, Computer & Network Forensics, Lawful Interception, Cybercrime Shamiel.Bhikha@Altechwa.com

Introduction• My ongoing international work with law

enforcement agencies and governmental services has given me a solid reputation in cyber crime analysis, unwanted communication behaviour and targeted monitoring of activities and individuals. As a trainer for agencies in law enforcement, I have trained several organizations in Central and Eastern Europe, the Arab world, Africa and Asia.

• I’m a member, founder and co-founder of several European and German security initiatives like EICAR, CTOSE (European Commission), KOSIB and others.

Electronic Security/Identification

DEADEA

RSARSA

PKIPKI PEMPEM

RARA

DESDESP

KC

SP

KC

S

Asymmetric

AsymmetricSymmetric

Symmetric

KD

CK

DC

MSPMSPX.5

09X

.509

SHASHA

DSA

DSA

RCARCA

DACDAC

CRLCRL

MACMAC

MIC

MIC

MD

CM

DC

Hash ValueHash Value

SSLSSL

What t

he %&@*#

*

are

they ta

lking about

5

Introduction - Before Nigerian Payment Systems • Long queues in banking halls

• No banking services after close of business

• Physical presence required for all banking transactions

• High security risk associated with cash handling

• Absence of self service banking

• Cumbersome process of transferring funds

• High cost of cash management

• Heavy reliance on the use of cheques /drafts

• Long turnaround time for processing transactions

Introduction• The payments system plays a very crucial role in any economy, being the

channel through which financial resources flow from one segment of the economy to the other. It, therefore, represents the major foundation of the modern market economy - the Monetary Policy role, the financial stability role and the overall economic role.

• Due to its importance, the Central Bank of Nigeria put in place a set of National Payment Systems (NPS), policy objectives as a broad guideline and framework for all payment systems initiatives:

– to ensure that the system is available without interruption,

– to meet all users' needs,

– to operate at minimum risk and reasonable cost.

• For the past ten years the Central Bank of Nigeria (CBN), in collaboration with the Bankers Committee, launched the first major initiative to modernize the payments system.

• Electronic Channels in Banking are the channels through which customers are served other than through the traditional banking which include the use of:

1. Automated Teller Machine (ATM)2. Debit Cards3. Credit Cards4. Point of Sale Terminal (POS)5. Paydirect6. Etransact7. Corporate Pay8. Kiosks 9. Webpay10. Internet Banking11. Telephone/Mobile Banking12. SMS Banking

Types of Payment Systems

9

Why Banks are embracing Payment Systems today?

• To encourage self service banking

• To displace cash/cheque payments

• To protect and grow customer base

• To deepen customer relationships and increase loyalty

• To provide a defense mechanism against competition

• To reduce queues in our branches

• To increase profitability (long run)

Circular To All Deposit Money Banks

• Cheque splitting• Burden on AML application

• False positives• Reviewing/collation time

• Anticipated increase in cheque consumption rate/cheque requests

• Volume in clearing centers • Cost of producing cheques• Cloning of cheques• Turn around times/penalty charges• Increase usage of Payment Systems

• And so on …………

Identified risk issues

• Transactions must be tied with Teller’s till balance• Collections through payment systems must be remitted quickly• Prevention of logon from another bank’s collection website• Tellers must not compromise their user id, password & PIN • Reduction of Transaction Limits• Efficient Investigation & Reconciliation team to review reports• Controlled User Security Management – Admin rights/privileges• 24/7 Call Centers to block/hotlist cards (can this be automated?)• Default pin must be activated on card before cash loading• Installation of Camera on ATMs• Blocking of Phishing websites – safe list of websites• Good Record Management - KYC• Strong awareness campaign on associated risks relating to PIN compromise -

adverts in newspaper and pasting of posters in branches.• E-fraud forum• Implementation of Intelligent System to track fraud transactions

Control Measures

Drivers for Electronic Security/Identification

Electronic transactions and e-commerce requires identification business-to-consumer business-to-business consumer-to-consumer

National and regional legislation set their own requirements on the implementation of the electronic identification and related services

Convergence of open networks

e – Payment System• E-Payment: Exchange of Goods / Services• Contracting parties: Buyer and Seller• Fundamental principles: Trust and Security• Intermediaries:

• Direct (Distributors, Retailers)• Indirect (Banks, Regulators)

• Money is a medium to facilitate transactions• Attributes of money:

– Acceptability, Portability, Divisibility– Security, Anonymity– Durability, Interoperability

e- Payment System• Automation of commercial transactions using

computers and communication technologies • Facilitated by Internet and WWW • Business-to-Business: EDI• Business-to-Consumer: WWW retailing• Some features:

– Easy, global access, 24 hour availability

– Customized products and services

– Back Office integration

– Additional revenue stream

e- Payment System Steps

• Attract prospects to your site– Positive online experience

– Value over traditional retail

• Convert prospect to customer– Provide customized services

– Online ordering, billing and payment

• Keep them coming back– Online customer service

– Offer more products and conveniences

Maximize revenue per sale

e- Payment System Participants

e- Payment System Problems

Snooper

UnreliableMerchant

Unknowncustomer

e- Payment System risks• Customer's risks

– Stolen credentials or password

– Dishonest merchant

– Disputes over transaction

– Inappropriate use of transaction details

• Merchant’s risk– Forged or copied instruments

– Disputed charges

– Insufficient funds in customer’s account

– Unauthorized redistribution of purchased items

• Main issue: Secure payment scheme

Why is the Internet insecure?

S

SS

C

C

• Host security– Client

– Server (multi-user)

• Transmission security– Passive sniffing

– Active spoofing and masquerading

– Denial of service

• Active content– Java, Javascript,

ActiveX,

A B

C

Eavesdropping Denial of service

A B

C

InterceptionA BC

Replay/fabrication

A B

C

Building TrustTrust is the foundation of any banking institution. And this year more than any other, that trust has been put to the test. From highly-publicized data loss cases at Countrywide and Bank of New York Mellon to outright failures of banks such as IndyMac - and then to the September swoon of Merrill Lynch, Lehman Bros. and AIG - 2008 has been riddled with numerous incidents that call into question institutions' abilities to protect their customers' financial and informational assets. At the same time, a younger, more tech-savvy consumer base is coming of age and demanding new, electronic banking channels. Institutions need not only to be able to serve these customers, but to recruit and retain them. Security can be a real competitive differentiator here, enabling institutions to demonstrate the lengths to which they'll go to ensure a safe, secure banking experience.

e- Payment Security• Authorization, Access Control:

– protect intranet from hordes: Firewalls

• Confidentiality, Data Integrity:– protect contents against snoopers: Encryption

• Authentication: – both parties prove identity before starting transaction:

Digital certificates

• Non-repudiation: – proof that the document originated by you & you only:

Digital signature

The customer relationship is everything

Protecting its clients and their assets is a huge responsibility - one that should be taken very seriously. Financial Institutions must uphold that commitment by making security and privacy a cornerstone of its business philosophy, and more importantly putting its money where its mouth is by investing heavily in addressing evolving online security-related needs.

It All Comes Back to Trust

Whether actually a victim, most individuals see themselves as potential prey to any number of electronic crimes, from an account take-over to credit card fraud or identity theft.

“Who could really blame them?”

“Just open any newspaper, and horror stories abound.” Among the recent headlines:

Phishing attacks on the IRS, enticing taxpayers to relinquish their account numbers in order to receive an early rebate.

The Hannaford retail data breach scandal in which malware re-routed credit card information to awaiting criminals. Countless new incidents of identity theft.

e - Payment• The regulatory framework for e-payments is further

evolving. Public authorities need• to reinforce overall consistent objectives, particularly

regarding safety, efficiency and• market integration. Currently the electronification of

payments is approaching another stage, which can be largely

• grouped around new business opportunities in electronic commerce that have arisen from the use of

• the internet

Security for e-paymentAccess Control (Authorization – Authentication – Boundary)Encryption (Cryptographic – PKI)Secure Communications (Physical Infrastructure)Management (Enterprise System & Security)Systems and Network Services (software validation)Business Continuity Management (disaster recovery)

New Opportunities - Comes

• On the Internet no-one knows you are a dog

• Internet banking infrastructure is cheap and easy tobuild.. Opportunity toleap-frog

• Open standards levelthe paying field

• Must work with newstandards

Advance Fee Fraud 419From: "Mr. Don Peter" To: undisclosed-recipients:;Subject: Dear FriendDate: Thu, 18 Oct 2007 08:39:10 -0400Reply-to: hellen_doris1@yahoo.fr

Dear Friend

It has been long we communicate last, am so sorry for the delay, I want to Inform you that your cheque of ($850.000.00) Which my boss asked me to mail to you as soon as you requested it, is still with me.

But due to some minure issue you fails to respond at the Approprete time, and presently the cheque is with me here in LAGOS-NIGERIA Though i had a new contact from a friend of mine who works with one security company here in NIGETIA that will deliver you your cheque at your door step with a cheeper rate, which the company said that it will cost you the sum of $198.00 usd, So you have to Contact them and register with them now.

29

Considering That Sample…

• The actual 419 scam sample you've just seen is so full of spelling and usage errors that it may be hard to believe that anyone would take it seriously.

• Yet we know that people do fall for these sort of 4-1-9 scams…

Enough with Theory, lets become live !

• Analysis Technologies by Visualizing data

• Context Analysis on eMail

• Profiling of Network Objects for Man Hunt

• Outperforming CyberCrime by thinking like your Enemy

• Precautions in Networks to prevent CyberCrime

• Tips, Tricks and Cases already happened !!

31

Security Breach Scenario

Security threats and targeted attacks are growing rapidly. Financial fraud and identity theft are on the rise. To meet evolving challenges you need to correlate log data with vulnerability, configuration, asset, performance and NBAD analytics.

DMZ

Mail Server

Web Server

UTM

Branch Office

Wireless

TransactionServer

Firewall IPS

Corporate Users

HQ

Domain Controller

Corporate Users

Router

AV/SPAM/Spyware

NetworkAttack

Port-ScanEvent

Failed Log Ins

Failed Log Ins

Failed Log Ins

Log In Success

Log In Success Config Changes: Root / Admin Access

Config Changes: Root / Admin Access

Install Rogue Application

Install Rogue Application

Data Theft

Data Theft

Switch

Hacker

Consequence = Lesson learnt !

• You need endpoint Security to get Triggers

• Triggers have to be correlated into an Information System, to recognize alarms

• Become ahead of CyberCrime by thinking like your Enemy

• Logical penetration tests are useful as they involve human factors

• There is no such thing as ROI on Security, or is there a ROI of an unused Fire Extinguisher ?

The different point of View

• Security is a strategy & process, perfectly supported by SIEM.• Think like your enemy ! Reduce the possibility of Security breaches by the

most comprehensive Security Information & Event Management • Reduce the Workload through Security Information & Event Management • Expect the unexpected, strong Content, Border and Endpoint Security by

Threat Management protects you from surprises !• I don’t know what I don’t know ! With Network Forensic you will !!• Security is the ART to open systems in a way, that they are perfectly close ! • Security without enough SIEM is like:

Finding a needle in a haystack, without knowing which color the

needle has and in which barn the haystack is !• Identify before you let someone Access anything!!

Secure end to end protocols

Networks and distribution channels are converging

Banks Telecoms Public authorities Retail Media enterprises

CONVERGENCE

Services, products, content

Security/Identification Services

Integrity - Guarantees that information content has not been tampered with, altered, or revealed indiscriminately.

Privacy/Confidentiality - Protects sensitive information, protects confidences and secures trusted transactions financial and otherwise.

Authentication - Verifies user identity. Non-repudiation - Assures originator cannot disavow

a transaction and enables use of trusted, binding transaction receipts based on identity and/or role.

Access Control - Controls user access to information.

On the Internet nobody knowsthat you are a dog!

The challenge and the solution

? ?

LIMITED PHYSICAL SECURITY ELEMENTS IN THE PAYMENT MEDIAS

The solution is PKI - i.e. Public Key Technology integrated into Business Applications

OPEN AND INSECURE CHANNEL

NO MEANS FOR PHYSICAL AUTHENTICATION

TRANSACTIONS ARE OFTEN EXECUTED IN REAL-TIME

Why PKI?To put it simply, the PKI framework will provide the electronic counterpart of a signature which in the physical world serves to authenticate and authorize transactions and ensure non-repudiation from a legal standpoint. The PKI Framework will also address the secure transportation of that instruction.

The planned widespread deployment of e-payment solutions to improve service delivery, interaction and transaction between G2G, G2B, G2C,B2B,C2B companies will require:

secure e-mail, DMScross-institutional use of secure web servers / databases, access control, etc

To encourage online transactions, stakeholders (businesses, agencies, citizens, etc) must be assured of trust value

PKI is the solution

PKI (Public Key Infrastructure) provides a high security and well-manageable solution for the listed security requirements

PKI enables strong authentication, digital signature, non-repudiation, integrity and confidentiality

PKI is a (de-facto) standard the same as: SET - e-commerce EMV - debit and credit cards Internet security protocols Electronic ID/Health cards (Finland, Germany, Italy,

France, …)

Benefits• Typical applications are e-mails, chip card applications (GMPC), online value exchange (debit / credit cards) ID, Citizen ID systems (Passports, Driver’s license), Ticketing, etc• Forms part of the overall data and information security strategy to provide the comfort and confidence to move from face-to-face systems and transactions to the online arena• Identity Assurance – it allows for identification of entities• Reduces risk• Reduces transactional processing expenses• Enhances efficiency and performance of systems and networks• Reduces the complexity of security systems• Allows distribution and use of security mechanisms – keys and certificates – with integrity

RA - Registering Authority

CA - Certification Authority

CRL - Certification Revocation List

RA

CA CRL

User User/Server

Private Key Public Key Private KeyPublic Key

Signature

Message

Signature

Message

Send message

Public Key Infrastructure

Encrypt

Decrypt

Validate

Public Domain

Opportunities

+ Federal IT regulation continues to expand: SOX, GLBA, HSPD-12, FFIEC

+ Most regulations speak to authentication, data integrity, and audit trails

+ Non-Compliance = Shutdown or Penalties

Compliance

+ Continued drive towards online models

+ Increased public awareness of security threats

+ Operational costs related to security breaches

+ Public security breaches = Lost Customer Confidence

Risk ManagementPartnerships and Mobility

+ Ubiquitous access

+ Partner Integration

+ Internal and external self service

+ Opening networks = More complex exposures

Market Response

• Authentication– Prevent unauthorized access through enhanced

authentication– Primary integration points: Web app, remote

access, desktop logon, and wireless

• Encryption– Protect sensitive information whether data is in

transit or at rest– Primary integration points: Email, disk, file/folder,

and databases

• Digital Signatures– Strengthen integrity and audit potential of

electronic transactions– Primary integration points: Email, Adobe, and

custom apps

Reality and Solution- The Reality

– In order to compete effectively, enterprises must open up their previously closed networks to business partners, customers, and their own increasingly mobile workforce. While greater levels of interconnection drive productivity, they also create more opportunities for exposure to risk. Government and industry regulation as well as stronger corporate governance are driving the adoption of risk mitigation strategies that include the areas of strong authentication and encryption.

- The Solution

– VeriSign operates a highly available and secure infrastructure that enables organizations to leverage VeriSign’s authentication and encryption services without the risk, effort, and expense of building out their own solutions. The VeriSign platform helps address business challenges and regulations around strong authentication and the maintenance of data confidentiality and integrity while allowing organizations to focus their efforts and resources on more strategic initiatives.

PKI Services

PKI/CASoftware & Hardware

PKI/CASoftware & Hardware

Risk and LiabilityManagement

Risk and LiabilityManagement

UserSupport

UserSupport

ApplicationEnablementApplicationEnablement

AuthenticationAuthentication

ApplicationConsultingApplicationConsulting

SecureInfrastructure

SecureInfrastructure

ServiceAvailability

ServiceAvailability

Policy &PracticesPolicy &Practices

A PKI requires: technology, people, facilities, applications, policy and procedures.

Thanks For the Chance To Talk Today

Are there any questions?

CyberCrime already hit your company, but you were not able to detect it !

The complete solution with SIEM to prevent being a Victim !

Presented to you by Shamiel BhikhaConsultant (Chief Security Advisor)

Shamiel.Bhikha@altechwa.com+2347060671347 Nigeria mobile

Or +27796280186Worldwide mobile

End-to-End Security

Endless Possibilities