Transcript MPKI - : : About

Securing the Digital Terrain
CISO,
Networks & Telecommunications
e-Security
Introduction Shamiel Bhikha
Security Expert & Consultant, Author, Chief
Security Advisor
39 yrs., married, 2 Kids
26 yrs. in IT
15 yrs. in Security
Networks, Internet, Security, Computer &
Network Forensics, Lawful Interception,
Cybercrime
[email protected]
Introduction
• My ongoing international work with law enforcement
agencies and governmental services has given me a solid
reputation in cyber crime analysis, unwanted
communication behaviour and targeted monitoring of
activities and individuals. As a trainer for agencies in law
enforcement, I have trained several organizations in
Central and Eastern Europe, the Arab world, Africa and
Asia.
• I’m a member, founder and co-founder of several
European and German security initiatives like EICAR,
CTOSE (European Commission), KOSIB and others.
Electronic Security/Identification
PKI
RCA
CRL
MSP
Introduction - Before Nigerian Payment
Systems
• Long queues in banking halls
• No banking services after close of business
• Physical presence required for all banking transactions
• High security risk associated with cash handling
• Absence of self service banking
• Cumbersome process of transferring funds
• High cost of cash management
• Heavy reliance on the use of cheques /drafts
• Long turnaround time for processing transactions
5
Introduction
• The payments system plays a very crucial role in any economy, being the
channel through which financial resources flow from one segment of the
economy to the other. It, therefore, represents the major foundation of
the modern market economy - the Monetary Policy role, the financial
stability role and the overall economic role.
• Due to its importance, the Central Bank of Nigeria put in place a set of
National Payment Systems (NPS), policy objectives as a broad guideline
and framework for all payment systems initiatives:
– to ensure that the system is available without interruption,
– to meet all users' needs,
– to operate at minimum risk and reasonable cost.
• For the past ten years the Central Bank of Nigeria (CBN), in
collaboration with the Bankers Committee, launched the first major
initiative to modernize the payments system.
Types of Payment Systems
•
Electronic Channels in Banking are the channels
through which customers are served other than through
the traditional banking which include the use of:
1. Automated Teller Machine (ATM)
2. Debit Cards
3. Credit Cards
4. Point of Sale Terminal (POS)
5. Paydirect
6. Etransact
7. Corporate Pay
8. Kiosks
9. Webpay
10. Internet Banking
11. Telephone/Mobile Banking
12. SMS Banking
Why Banks are embracing Payment
Systems today?
•
•
•
•
To encourage self service banking
To displace cash/cheque payments
To protect and grow customer base
To deepen customer relationships and increase
loyalty
• To provide a defense mechanism against
competition
• To reduce queues in our branches
• To increase profitability (long run)
9
Circular To All Deposit Money Banks
Identified risk issues
• Cheque splitting
• Burden on AML application
• False positives
• Reviewing/collation time
• Anticipated increase in cheque consumption rate/cheque
requests
• Volume in clearing centers
• Cost of producing cheques
• Cloning of cheques
• Turn around times/penalty charges
• Increase usage of Payment Systems
• And so on …………
Control Measures
•
•
•
•
•
•
•
•
•
•
•
•
•
Transactions must be tied with Teller’s till balance
Collections through payment systems must be remitted quickly
Prevention of logon from another bank’s collection website
Tellers must not compromise their user id, password & PIN
Reduction of Transaction Limits
Efficient Investigation & Reconciliation team to review reports
Controlled User Security Management – Admin rights/privileges
24/7 Call Centers to block/hotlist cards (can this be automated?)
Default pin must be activated on card before cash loading
Installation of Camera on ATMs
Blocking of Phishing websites – safe list of websites
Good Record Management - KYC
Strong awareness campaign on associated risks relating to PIN compromise adverts in newspaper and pasting of posters in branches.
• E-fraud forum
• Implementation of Intelligent System to track fraud transactions
Drivers for Electronic
Security/Identification

Electronic transactions and e-commerce requires
identification
 business-to-consumer
 business-to-business
 consumer-to-consumer

National and regional legislation set their own
requirements on the implementation of the
electronic identification and related services

Convergence of open networks
e – Payment System
•
•
•
•
E-Payment: Exchange of Goods / Services
Contracting parties: Buyer and Seller
Fundamental principles: Trust and Security
Intermediaries:
• Direct (Distributors, Retailers)
• Indirect (Banks, Regulators)
• Money is a medium to facilitate transactions
• Attributes of money:
– Acceptability, Portability, Divisibility
– Security, Anonymity
– Durability, Interoperability
e- Payment System
• Automation of commercial transactions using
computers and communication technologies
• Facilitated by Internet and WWW
• Business-to-Business: EDI
• Business-to-Consumer: WWW retailing
• Some features:
– Easy, global access, 24 hour availability
– Customized products and services
– Back Office integration
– Additional revenue stream
e- Payment System Steps
• Attract prospects to your site
– Positive online experience
– Value over traditional retail
• Convert prospect to customer
– Provide customized services
– Online ordering, billing and payment
• Keep them coming back
– Online customer service
– Offer more products and conveniences
Maximize revenue per sale
e- Payment System Participants
e- Payment System Problems
Snooper
Unknown
customer
Unreliable
Merchant
e- Payment System risks
• Customer's risks
–
–
–
–
Stolen credentials or password
Dishonest merchant
Disputes over transaction
Inappropriate use of transaction details
• Merchant’s risk
–
–
–
–
Forged or copied instruments
Disputed charges
Insufficient funds in customer’s account
Unauthorized redistribution of purchased items
• Main issue: Secure payment scheme
Why is the Internet insecure?
• Host security
S
S
C
S
– Client
– Server (multi-user)
• Transmission security
– Passive sniffing
– Active spoofing and
masquerading
– Denial of service
• Active content
– Java, Javascript, ActiveX,
Eavesdropping
A
C
Denial of service
B
A
C
A
C
Interception
B
C
Replay/fabrication
B
A
B
C
Building Trust
Trust is the foundation of any banking institution. And this year
more than any other, that trust has been put to the test.
From highly-publicized data loss cases at Countrywide and Bank
of New York Mellon to outright failures of banks such as IndyMac
- and then to the September swoon of Merrill Lynch, Lehman Bros.
and AIG - 2008 has been riddled with numerous incidents that call
into question institutions' abilities to protect their customers'
financial and informational assets.
At the same time, a younger, more tech-savvy consumer base is
coming of age and demanding new, electronic banking channels.
Institutions need not only to be able to serve these customers, but
to recruit and retain them. Security can be a real competitive
differentiator here, enabling institutions to demonstrate the lengths
to which they'll go to ensure a safe, secure banking experience.
e- Payment Security
• Authorization, Access Control:
– protect intranet from hordes: Firewalls
• Confidentiality, Data Integrity:
– protect contents against snoopers: Encryption
• Authentication:
– both parties prove identity before starting transaction:
Digital certificates
• Non-repudiation:
– proof that the document originated by you & you only:
Digital signature
The customer relationship is everything
Protecting its clients and their assets is a huge
responsibility - one that should be taken very
seriously. Financial Institutions must uphold that
commitment by making security and privacy a
cornerstone of its business philosophy, and more
importantly putting its money where its mouth is
by investing heavily in addressing evolving online
security-related needs.
It All Comes Back to Trust
Whether actually a victim, most individuals see themselves as
potential prey to any number of electronic crimes, from an account
take-over to credit card fraud or identity theft.
“Who could really blame them?”
“Just open any newspaper, and horror stories abound.” Among the
recent headlines:
Phishing attacks on the IRS, enticing taxpayers to relinquish their
account numbers in order to receive an early rebate.
The Hannaford retail data breach scandal in which malware rerouted credit card information to awaiting criminals.
Countless new incidents of identity theft.
e - Payment
• The regulatory framework for e-payments is further
evolving. Public authorities need
• to reinforce overall consistent objectives, particularly
regarding safety, efficiency and
• market integration. Currently the electronification of
payments is approaching another stage, which can be
largely
• grouped around new business opportunities in electronic
commerce that have arisen from the use of
• the internet
Security for e-payment
Access Control (Authorization – Authentication –
Boundary)
Encryption (Cryptographic – PKI)
Secure Communications (Physical Infrastructure)
Management (Enterprise System & Security)
Systems and Network Services (software
validation)
Business Continuity Management (disaster
recovery)
New Opportunities - Comes
• On the Internet
no-one knows you
are a dog
• Internet banking
infrastructure is
cheap and easy to
build.. Opportunity to
leap-frog
• Open standards level
the paying field
• Must work with new
standards
Advance Fee Fraud 419
From: "Mr. Don Peter"
To: undisclosed-recipients:;
Subject: Dear Friend
Date: Thu, 18 Oct 2007 08:39:10 -0400
Reply-to: [email protected]
Dear Friend
It has been long we communicate last, am so sorry for the delay, I
want to Inform you that your cheque of ($850.000.00) Which my boss asked
me to mail to you as soon as you requested it, is still with me.
But due to some minure issue you fails to respond at the Approprete
time, and presently the cheque is with me here in LAGOS-NIGERIA Though i
had a new contact from a friend of mine who works with one security company
here in NIGETIA that will deliver you your cheque at your door step with a
cheeper rate, which the company said that it will cost you the sum of $198.00
usd, So you have to Contact them and register with them now.
Considering That Sample…
• The actual 419 scam sample you've just seen is
so full of spelling and usage errors that it may be
hard to believe that anyone would take it
seriously.
• Yet we know that people do fall for these sort of
4-1-9 scams…
29
Enough with Theory, lets become live !
•
•
•
•
Analysis Technologies by Visualizing data
Context Analysis on eMail
Profiling of Network Objects for Man Hunt
Outperforming CyberCrime by thinking like
your Enemy
• Precautions in Networks to prevent
CyberCrime
• Tips, Tricks and Cases already happened !!
Security Breach Scenario
Mail Server
Failed Log Ins
Corporate Users
Transaction
Server
AV/SPAM/
Spyware
DMZ
Router
Switch
UTM
Firewall IPS
Config
Install
Changes:
Rogue
Log
In
Success
Data
Failed
LogTheft
Ins
RootApplication
/ Admin Access
Domain
Controller
Config
Changes:
Rogue
Log
InInstall
Success
Data
Theft
Failed
Ins Access
RootApplication
/Log
Admin
Wireless
Web Server
Corporate Users
Branch Office
Hacker
Port-Scan
Event
HQ
Network
Attack
Security threats and targeted attacks are growing rapidly. Financial
fraud and identity theft are on the rise. To meet evolving challenges
you need to correlate log data with vulnerability, configuration, asset,
performance and NBAD analytics.
31
Consequence = Lesson learnt !
• You need endpoint Security to get Triggers
• Triggers have to be correlated into an Information
System, to recognize alarms
• Become ahead of CyberCrime by thinking like
your Enemy
• Logical penetration tests are useful as they
involve human factors
• There is no such thing as ROI on Security, or is
there a ROI of an unused Fire Extinguisher ?
The different point of View
• Security is a strategy & process, perfectly supported by SIEM.
• Think like your enemy ! Reduce the possibility of Security breaches by the
most comprehensive Security Information & Event Management
• Reduce the Workload through Security Information & Event Management
• Expect the unexpected, strong Content, Border and Endpoint Security by
Threat Management protects you from surprises !
• I don’t know what I don’t know ! With Network Forensic you will !!
• Security is the ART to open systems in a way, that they are perfectly close !
• Security without enough SIEM is like:
Finding a needle in a haystack, without knowing which color the
needle has and in which barn the haystack is !
• Identify before you let someone Access anything!!
Secure end to end protocols
Networks and distribution channels
are converging
Banks Telecoms Public authorities
Retail
Services, products, content
CONVERGENCE
Media enterprises
Security/Identification Services





Integrity - Guarantees that information content has
not been tampered with, altered, or revealed
indiscriminately.
Privacy/Confidentiality - Protects sensitive
information, protects confidences and secures trusted
transactions financial and otherwise.
Authentication - Verifies user identity.
Non-repudiation - Assures originator cannot disavow
a transaction and enables use of trusted, binding
transaction receipts based on identity and/or role.
Access Control - Controls user access to information.
On the Internet nobody knows
that you are a dog!
The challenge and the solution
?
?
OPEN AND INSECURE CHANNEL
NO MEANS FOR PHYSICAL AUTHENTICATION
TRANSACTIONS ARE OFTEN EXECUTED IN REAL-TIME
LIMITED PHYSICAL SECURITY ELEMENTS IN THE PAYMENT MEDIAS
The solution is PKI - i.e. Public Key Technology
integrated into Business Applications
Why PKI?
To put it simply, the PKI framework will provide the electronic counterpart
of a signature which in the physical world serves to authenticate and
authorize transactions and ensure non-repudiation from a legal
standpoint. The PKI Framework will also address the secure
transportation of that instruction.
The planned widespread deployment of e-payment solutions to improve
service delivery, interaction and transaction between G2G, G2B,
G2C,B2B,C2B companies will require:
secure e-mail, DMS
cross-institutional use of secure web servers / databases, access control,
etc
To encourage online transactions, stakeholders (businesses, agencies,
citizens, etc) must be assured of trust value
PKI is the solution

PKI (Public Key Infrastructure) provides a high security and
well-manageable solution for the listed security requirements

PKI enables strong authentication, digital signature, nonrepudiation, integrity and confidentiality

PKI is a (de-facto) standard the same as:
 SET - e-commerce
 EMV - debit and credit cards
 Internet security protocols
 Electronic ID/Health cards (Finland, Germany, Italy,
France, …)
Benefits
• Typical applications are e-mails, chip card applications
(GMPC), online value exchange (debit / credit cards) ID,
Citizen ID systems (Passports, Driver’s license), Ticketing, etc
• Forms part of the overall data and information security
strategy to provide the comfort and confidence to move from
face-to-face systems and transactions to the online arena
• Identity Assurance – it allows for identification of entities
• Reduces risk
• Reduces transactional processing expenses
• Enhances efficiency and performance of systems and
networks
• Reduces the complexity of security systems
• Allows distribution and use of security mechanisms – keys
and certificates – with integrity
Public Key Infrastructure
RA - Registering Authority
RA
Encrypt
Decrypt
CA CRL
CA - Certification Authority
CRL - Certification Revocation List
Validate
User
Public Domain
User/Server
Private Key Public Key Public Key Private Key
Signature
Message
Send message
Signature
Message
Opportunities
Compliance
+ Federal IT regulation
continues to expand: SOX,
GLBA, HSPD-12, FFIEC
+ Most regulations speak to
authentication, data
integrity, and audit trails
+ Non-Compliance =
Shutdown or Penalties
Risk Management
+ Continued drive towards
online models
+ Increased public awareness
of security threats
Partnerships
and Mobility
+ Ubiquitous access
+ Partner Integration
+ Internal and external self
service
+ Operational costs related to
security breaches
+ Public security breaches =
Lost Customer Confidence
+ Opening networks =
More complex exposures
Market Response
• Authentication
– Prevent unauthorized access through enhanced authentication
– Primary integration points: Web app, remote access, desktop logon, and
wireless
• Encryption
– Protect sensitive information whether data is in transit or at rest
– Primary integration points: Email, disk, file/folder, and databases
• Digital Signatures
– Strengthen integrity and audit potential of electronic transactions
– Primary integration points: Email, Adobe, and custom apps
Reality and Solution
-
The Reality
– In order to compete effectively, enterprises must open up their previously
closed networks to business partners, customers, and their own
increasingly mobile workforce. While greater levels of interconnection
drive productivity, they also create more opportunities for exposure to
risk. Government and industry regulation as well as stronger corporate
governance are driving the adoption of risk mitigation strategies that
include the areas of strong authentication and encryption.
-
The Solution
– VeriSign operates a highly available and secure infrastructure that enables
organizations to leverage VeriSign’s authentication and encryption
services without the risk, effort, and expense of building out their own
solutions. The VeriSign platform helps address business challenges and
regulations around strong authentication and the maintenance of data
confidentiality and integrity while allowing organizations to focus their
efforts and resources on more strategic initiatives.
PKI Services
Policy &
Practices
Application
Enablement
Risk and Liability
Management
Authentication
PKI/CASoftware
& Hardware
Application
Consulting
Secure
Infrastructure
Service
Availability
User
Support
A PKI requires: technology, people, facilities, applications,
policy and procedures.
Thanks For the Chance To Talk
Today
Are there any questions?
CyberCrime already hit your company, but you were not able to detect it !
The complete solution with SIEM to prevent being a Victim !
Presented to you by Shamiel Bhikha
Consultant (Chief Security Advisor)
[email protected]
+2347060671347 Nigeria mobile
Or +27796280186Worldwide mobile
End-to-End Security
Endless Possibilities