1 / 48

Securing the Digital Terrain

Securing the Digital Terrain. CISO, Networks & Telecommunications e-Security. Introduction Shamiel Bhikha. Security Expert & Consultant, Author, Chief Security Advisor 39 yrs., married, 2 Kids 26 yrs. in IT 15 yrs. in Security

tauret
Download Presentation

Securing the Digital Terrain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing the Digital Terrain CISO,Networks & Telecommunications e-Security

  2. Introduction Shamiel Bhikha • Security Expert & Consultant, Author, Chief Security Advisor • 39 yrs., married, 2 Kids • 26 yrs. in IT • 15 yrs. in Security • Networks, Internet, Security, Computer & Network Forensics, Lawful Interception, Cybercrime • Shamiel.Bhikha@Altechwa.com

  3. Introduction • My ongoing international work with law enforcement agencies and governmental services has given me a solid reputation in cyber crime analysis, unwanted communication behaviour and targeted monitoring of activities and individuals. As a trainer for agencies in law enforcement, I have trained several organizations in Central and Eastern Europe, the Arab world, Africa and Asia. • I’m a member, founder and co-founder of several European and German security initiatives like EICAR, CTOSE (European Commission), KOSIB and others.

  4. RSA RA MDC DAC PKI Asymmetric PEM RCA DES DEA SSL CRL MIC X.509 PKCS Symmetric MSP DSA SHA KDC MAC Hash Value Electronic Security/Identification What the %&@*#* are they talking about

  5. Introduction - Before Nigerian Payment Systems Long queues in banking halls No banking services after close of business Physical presence required for all banking transactions High security risk associated with cash handling Absence of self service banking Cumbersome process of transferring funds High cost of cash management Heavy reliance on the use of cheques /drafts Long turnaround time for processing transactions 5

  6. Introduction • The payments system plays a very crucial role in any economy, being the channel through which financial resources flow from one segment of the economy to the other. It, therefore, represents the major foundation of the modern market economy - the Monetary Policy role, the financial stability role and the overall economic role. • Due to its importance, the Central Bank of Nigeria put in place a set of National Payment Systems (NPS), policy objectives as a broad guideline and framework for all payment systems initiatives: • to ensure that the system is available without interruption, • to meet all users' needs, • to operate at minimum risk and reasonable cost. • For the past ten years the Central Bank of Nigeria (CBN), in collaboration with the Bankers Committee, launched the first major initiative to modernize the payments system.

  7. Electronic Channels in Banking are the channels through which customers are served other than through the traditional banking which include the use of: Automated Teller Machine (ATM) Debit Cards Credit Cards Point of Sale Terminal (POS) Paydirect Etransact Corporate Pay Kiosks Webpay Internet Banking Telephone/Mobile Banking SMS Banking Types of Payment Systems

  8. Why Banks are embracing Payment Systems today? To encourage self service banking To displace cash/cheque payments To protect and grow customer base To deepen customer relationships and increase loyalty To provide a defense mechanism against competition To reduce queues in our branches To increase profitability (long run) 9

  9. Circular To All Deposit Money Banks

  10. Identified risk issues • Cheque splitting • Burden on AML application • False positives • Reviewing/collation time • Anticipated increase in cheque consumption rate/cheque requests • Volume in clearing centers • Cost of producing cheques • Cloning of cheques • Turn around times/penalty charges • Increase usage of Payment Systems • And so on …………

  11. Control Measures • Transactions must be tied with Teller’s till balance • Collections through payment systemsmust be remitted quickly • Prevention of logon from another bank’s collection website • Tellers must not compromise their user id, password & PIN • Reduction of Transaction Limits • Efficient Investigation & Reconciliation team to review reports • Controlled User Security Management – Admin rights/privileges • 24/7 Call Centers to block/hotlist cards (can this be automated?) • Default pin must be activated on card before cash loading • Installation of Camera on ATMs • Blocking of Phishing websites – safe list of websites • Good Record Management - KYC • Strong awareness campaign on associated risks relating to PIN compromise - adverts in newspaper and pasting of posters in branches. • E-fraud forum • Implementation of Intelligent System to track fraud transactions

  12. Drivers for Electronic Security/Identification • Electronic transactions and e-commerce requires identification • business-to-consumer • business-to-business • consumer-to-consumer • National and regional legislation set their own requirements on the implementation of the electronic identification and related services • Convergence of open networks

  13. e – Payment System • E-Payment: Exchange of Goods / Services • Contracting parties: Buyer and Seller • Fundamental principles: Trust and Security • Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators) • Money is a medium to facilitate transactions • Attributes of money: • Acceptability, Portability, Divisibility • Security, Anonymity • Durability, Interoperability

  14. e- Payment System • Automation of commercial transactions using computers and communication technologies • Facilitated by Internet and WWW • Business-to-Business: EDI • Business-to-Consumer: WWW retailing • Some features: • Easy, global access, 24 hour availability • Customized products and services • Back Office integration • Additional revenue stream

  15. e- Payment System Steps • Attract prospects to your site • Positive online experience • Value over traditional retail • Convert prospect to customer • Provide customized services • Online ordering, billing and payment • Keep them coming back • Online customer service • Offer more products and conveniences Maximize revenue per sale

  16. e- Payment System Participants

  17. e- Payment System Problems Snooper Unknown customer Unreliable Merchant

  18. e- Payment System risks • Customer's risks • Stolen credentials or password • Dishonest merchant • Disputes over transaction • Inappropriate use of transaction details • Merchant’s risk • Forged or copied instruments • Disputed charges • Insufficient funds in customer’s account • Unauthorized redistribution of purchased items • Main issue: Secure payment scheme

  19. S S S C C Why is the Internet insecure? • Host security • Client • Server (multi-user) • Transmission security • Passive sniffing • Active spoofing and masquerading • Denial of service • Active content • Java, Javascript, ActiveX, Eavesdropping Denial of service A B A B C C Replay/fabrication Interception A C B A B C

  20. Building Trust Trust is the foundation of any banking institution. And this year more than any other, that trust has been put to the test. From highly-publicized data loss cases at Countrywide and Bank of New York Mellon to outright failures of banks such as IndyMac - and then to the September swoon of Merrill Lynch, Lehman Bros. and AIG - 2008 has been riddled with numerous incidents that call into question institutions' abilities to protect their customers' financial and informational assets. At the same time, a younger, more tech-savvy consumer base is coming of age and demanding new, electronic banking channels. Institutions need not only to be able to serve these customers, but to recruit and retain them. Security can be a real competitive differentiator here, enabling institutions to demonstrate the lengths to which they'll go to ensure a safe, secure banking experience.

  21. e- Payment Security • Authorization, Access Control: • protect intranet from hordes: Firewalls • Confidentiality, Data Integrity: • protect contents against snoopers: Encryption • Authentication: • both parties prove identity before starting transaction: Digital certificates • Non-repudiation: • proof that the document originated by you & you only: Digital signature

  22. The customer relationship is everything Protecting its clients and their assets is a huge responsibility - one that should be taken very seriously. Financial Institutions must uphold that commitment by making security and privacy a cornerstone of its business philosophy, and more importantly putting its money where its mouth is by investing heavily in addressing evolving online security-related needs.

  23. It All Comes Back to Trust Whether actually a victim, most individuals see themselves as potential prey to any number of electronic crimes, from an account take-over to credit card fraud or identity theft. “Who could really blame them?” “Just open any newspaper, and horror stories abound.” Among the recent headlines: Phishing attacks on the IRS, enticing taxpayers to relinquish their account numbers in order to receive an early rebate. The Hannaford retail data breach scandal in which malware re-routed credit card information to awaiting criminals. Countless new incidents of identity theft.

  24. e - Payment • The regulatory framework for e-payments is further evolving. Public authorities need • to reinforce overall consistent objectives, particularly regarding safety, efficiency and • market integration. Currently the electronification of payments is approaching another stage, which can be largely • grouped around new business opportunities in electronic commerce that have arisen from the use of • the internet

  25. Security for e-payment Access Control (Authorization – Authentication – Boundary) Encryption (Cryptographic – PKI) Secure Communications (Physical Infrastructure) Management (Enterprise System & Security) Systems and Network Services (software validation) Business Continuity Management (disaster recovery)

  26. New Opportunities - Comes • On the Internet no-one knows you are a dog • Internet banking infrastructure is cheap and easy tobuild.. Opportunity toleap-frog • Open standards levelthe paying field • Must work with newstandards

  27. Advance Fee Fraud 419 From: "Mr. Don Peter" To: undisclosed-recipients:;Subject: Dear FriendDate: Thu, 18 Oct 2007 08:39:10 -0400Reply-to: hellen_doris1@yahoo.frDear Friend It has been long we communicate last, am so sorry for the delay, I want to Inform you that your cheque of ($850.000.00) Which my boss asked me to mail to you as soon as you requested it, is still with me. But due to some minure issue you fails to respond at the Approprete time, and presently the cheque is with me here in LAGOS-NIGERIA Though i had a new contact from a friend of mine who works with one security company here in NIGETIA that will deliver you your cheque at your door step with a cheeper rate, which the company said that it will cost you the sum of $198.00 usd, So you have to Contact them and register with them now.

  28. Considering That Sample… • The actual 419 scam sample you've just seen is so full of spelling and usage errors that it may be hard to believe that anyone would take it seriously. • Yet we know that people do fall for these sort of 4-1-9 scams…

  29. Enough with Theory, lets become live ! • Analysis Technologies by Visualizing data • Context Analysis on eMail • Profiling of Network Objects for Man Hunt • Outperforming CyberCrime by thinking like your Enemy • Precautions in Networks to prevent CyberCrime • Tips, Tricks and Cases already happened !!

  30. Log In Success Log In Success Port-ScanEvent NetworkAttack Config Changes: Root / Admin Access Config Changes: Root / Admin Access Install Rogue Application Install Rogue Application Data Theft Data Theft Failed Log Ins Failed Log Ins Failed Log Ins Security Breach Scenario Mail Server Corporate Users Transaction Server AV/SPAM/ Spyware DMZ Router Switch UTM FirewallIPS Domain Controller Wireless Web Server Corporate Users Branch Office HQ Hacker • Security threats and targeted attacks are growing rapidly. Financial fraud and identity theft are on the rise. To meet evolving challenges you need to correlate log data with vulnerability, configuration, asset, performance and NBAD analytics.

  31. Consequence = Lesson learnt ! • You need endpoint Security to get Triggers • Triggers have to be correlated into an Information System, to recognize alarms • Become ahead of CyberCrime by thinking like your Enemy • Logical penetration tests are useful as they involve human factors • There is no such thing as ROI on Security, or is there a ROI of an unused Fire Extinguisher ?

  32. The different point of View • Security is a strategy & process, perfectly supported by SIEM. • Think like your enemy ! Reduce the possibility of Security breaches by the most comprehensive Security Information & Event Management • Reduce the Workload through Security Information & Event Management • Expect the unexpected, strong Content, Border and Endpoint Security by Threat Management protects you from surprises ! • I don’t know what I don’t know ! With Network Forensic you will !! • Security is the ART to open systems in a way, that they are perfectly close ! • Security without enough SIEM is like: Finding a needle in a haystack, without knowing which color the needle has and in which barn the haystack is ! • Identify before you let someone Access anything!!

  33. Secure end to end protocols

  34. Networks and distribution channels are converging Banks Telecoms Public authorities Retail Media enterprises Services, products, content CONVERGENCE

  35. Security/Identification Services • Integrity - Guarantees that information content has not been tampered with, altered, or revealed indiscriminately. • Privacy/Confidentiality - Protects sensitive information, protects confidences and secures trusted transactions financial and otherwise. • Authentication - Verifies user identity. • Non-repudiation - Assures originator cannot disavow a transaction and enables use of trusted, binding transaction receipts based on identity and/or role. • Access Control - Controls user access to information. On the Internet nobody knows that you are a dog!

  36. ? ? The challenge and the solution OPEN AND INSECURE CHANNEL NO MEANS FOR PHYSICAL AUTHENTICATION TRANSACTIONS ARE OFTEN EXECUTED IN REAL-TIME LIMITED PHYSICAL SECURITY ELEMENTS IN THE PAYMENT MEDIAS The solution is PKI - i.e. Public Key Technology integrated into Business Applications

  37. Why PKI? To put it simply, the PKI framework will provide the electronic counterpart of a signature which in the physical world serves to authenticate and authorize transactions and ensure non-repudiation from a legal standpoint. The PKI Framework will also address the secure transportation of that instruction. • The planned widespread deployment of e-payment solutions to improve service delivery, interaction and transaction between G2G, G2B, G2C,B2B,C2B companies will require: • secure e-mail, DMS • cross-institutional use of secure web servers / databases, access control, etc • To encourage online transactions, stakeholders (businesses, agencies, citizens, etc) must be assured of trust value

  38. PKI is the solution • PKI (Public Key Infrastructure) provides a high security and well-manageable solution for the listed security requirements • PKI enables strong authentication, digital signature, non-repudiation, integrity and confidentiality • PKI is a (de-facto) standard the same as: • SET - e-commerce • EMV - debit and credit cards • Internet security protocols • Electronic ID/Health cards (Finland, Germany, Italy, France, …)

  39. Benefits • Typical applications are e-mails, chip card applications (GMPC), online value exchange (debit / credit cards) ID, Citizen ID systems (Passports, Driver’s license), Ticketing, etc • Forms part of the overall data and information security strategy to provide the comfort and confidence to move from face-to-face systems and transactions to the online arena • Identity Assurance – it allows for identification of entities • Reduces risk • Reduces transactional processing expenses • Enhances efficiency and performance of systems and networks • Reduces the complexity of security systems • Allows distribution and use of security mechanisms – keys and certificates – with integrity

  40. Public Key Infrastructure RA - Registering Authority RA CA - Certification Authority Encrypt CRL - Certification Revocation List Decrypt CA CRL Validate Public Domain User User/Server Private Key Public Key Public Key Private Key Signature Signature Send message Message Message

  41. Opportunities Compliance • Federal IT regulation continues to expand: SOX, GLBA, HSPD-12, FFIEC • Most regulations speak to authentication, data integrity, and audit trails • Non-Compliance = Shutdown or Penalties Partnerships and Mobility Risk Management • Continued drive towards online models • Increased public awareness of security threats • Operational costs related to security breaches • Public security breaches = Lost Customer Confidence • Ubiquitous access • Partner Integration • Internal and external self service • Opening networks = More complex exposures

  42. Market Response Authentication Prevent unauthorized access through enhanced authentication Primary integration points: Web app, remote access, desktop logon, and wireless Encryption Protect sensitive information whether data is in transit or at rest Primary integration points: Email, disk, file/folder, and databases Digital Signatures Strengthen integrity and audit potential of electronic transactions Primary integration points: Email, Adobe, and custom apps

  43. Reality and Solution - The Reality In order to compete effectively, enterprises must open up their previously closed networks to business partners, customers, and their own increasingly mobile workforce. While greater levels of interconnection drive productivity, they also create more opportunities for exposure to risk. Government and industry regulation as well as stronger corporate governance are driving the adoption of risk mitigation strategies that include the areas of strong authentication and encryption. - The Solution VeriSign operates a highly available and secure infrastructure that enables organizations to leverage VeriSign’s authentication and encryption services without the risk, effort, and expense of building out their own solutions. The VeriSign platform helps address business challenges and regulations around strong authentication and the maintenance of data confidentiality and integrity while allowing organizations to focus their efforts and resources on more strategic initiatives.

  44. PKI Services Secure Infrastructure Policy & Practices Authentication PKI/CASoftware & Hardware Service Availability Application Enablement Application Consulting User Support Risk and Liability Management A PKI requires: technology, people, facilities, applications, policy and procedures.

  45. Thanks For the Chance To Talk Today Are there any questions?

  46. CyberCrime already hit your company, but you were not able to detect it !The complete solution with SIEM to prevent being a Victim ! Presented to you by Shamiel Bhikha Consultant (Chief Security Advisor) Shamiel.Bhikha@altechwa.com +2347060671347 Nigeria mobile Or +27796280186Worldwide mobile

  47. End-to-End Security Endless Possibilities

More Related