joint presentation - part 1: the future evolution of e-banking & cyber security & part 2:...
TRANSCRIPT
www.thales-esecurity.com
Dr. Mohammad Shahir CISSP, CEng
Senior Security Consultant
Part 1
The Future Evolution of E-Banking &
Cyber Security
2
Thales e-Security | CONFIDENTIAL
Twitter @Blackcat
LinkedIn Shahir Majed Shikh
2
Speaker Profile
Dr. Shahir has 11 years of IT security experience and knows the
Malaysian security market. He is considered as a security evangelist in
the Malaysian market. He was previously attached with MIMOS, T-
Systems and Hewlett Packard focusing on Internet of Things,
Embedded Security Platform on System Engineering, Security
Assessment and Consulting. Dr. Shahir was responsible for the delivery
and support of security professional service to enterprise customer
including McAfee, HP, Royal Dutch SHELL, British American Tobacco
and several multinational banks on security solutions / services as
Systems Security Engineering, Network Security Design, PKI
Infrastructure and Integrated Operation (IO as a service). He is a
professional member of IEEE & IET.
Dr. Mohammad Shahir
Senior Security Consultant
Thales E-Security
3
Thales e-Security | CONFIDENTIAL
By the end of the session, participants will
• Understand the cyber attack threats that organisations are
facing
• What are the threats ?
• Who are the attackers ?
• How do attacks happen ?
• How to prevent and prepare for the unknown ?
• Talk knowledgeably and confidently on the subject
Objectives & Key Results
4
Thales e-Security | CONFIDENTIAL
"We know hackers steal people's identities and infiltrate
private e-mail.”
“Now our enemies are also seeking the ability to
sabotage our financial institutions. We cannot look
back years from now and wonder why we did nothing in
the face of real threats to our security and our economy.”
Cyber Security is Making Headlines
President Obama in his State of the Union address 2013
5
Thales e-Security | CONFIDENTIAL
What is happening in the field ?
RSA 2011
IP Theft Hi-Tech
DigiNotar 2011
>500 Fake Certificates
Issued
PKI
Target 2013
40M Credit Card Data, 70M PII Retail
JPMorgan Chase 2014 76M Household and 7M Business Data
Bank
Major Banks in US 2012
Web presence affected under DDoSBank
?
6
Thales e-Security | CONFIDENTIAL
Data Breaches: Threat Motives, Actors & Costs
Sources :
Dell SecureWorks Report 2014; McAfee Report 2013; Symantec Report 2014;
Ponemon Institute 2014; HSBC Annual Report 2013;
35%incidents
75%Identities breached
Hacking
$145Per compromised
record
>3%Annual profits of
US$22.6B
Costs >$780m if 10% of 54M
customers record
breached
$4-80Per credit card,
varies with types,
countries
2-4%Account balance
Black
Market
Rate
7
Thales e-Security | CONFIDENTIAL
Losses from Different Forms of Cyber Attacks
Malicious code, DDoS, Web-based attacks account for the highest losses
Source: Ponemon Cost of Cybercrime US Study 2013
Company size >13,882 staff Company size ≤13,882 staff
9
Thales e-Security | CONFIDENTIAL
Unsuspected employee
Phishing emails
Zero day exploits
Malicious code to create backdoors
Anatomy of RSA Data Breach : (1) Spear-phishing
Malware
Payload
1. The .xls file contained an exploit
through an Adobe Flash zero-day
vulnerability that installed a backdoor
using a Poison Ivy RAT variant set in
a reverse-connect mode
Sources : EMC, TrendMicro
Combination of
10
Thales e-Security | CONFIDENTIAL
Anatomy of RSA Data Breach : (2) Malicious Codes Infection
Fir
ewal
l
Fir
ewal
l
1. Infected PC reaches out
to the command and control
centre, evading IPS/IDS
detection
2. Attacker moved laterally to
identify users with more
access and admin rights to
relevant services and
servers of interest
Infected PC
3. Data Exfiltration
Sources : EMC, TrendMicro
Malware
Command
& Control
Centre
Servers containing
company secrets
Malware
Payload
12
Thales e-Security | CONFIDENTIAL
SQL Injection – Illustrated
Fir
ewal
l
Hardened OS
Web Server
App Server
Fir
ewal
l
Dat
abas
es
Leg
acy S
yst
ems
Web
Ser
vic
es
Dir
ecto
ries
Hum
an R
esrc
s
Bil
ling
Custom Code
APPLICATION
ATTACK
Net
wo
rk L
ayer
Ap
pli
cati
on L
ayer
Acc
ounts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
unic
atio
n
Kno
wle
dge
Mgm
t
E-C
om
mer
ce
Bus.
Fu
nct
ions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
3. Application forwards attack to
the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the user
Account:
SKU:
Account:
SKU:
Source : OWASP
SQL is responsible for the attack at Heartlands and SONY, both
incidents resulting in compromise of >100M card records
13
Thales e-Security | CONFIDENTIAL
DDoS (Distributed Denial of Service)
DDoS is an attempt to make ANY Internet facing systems (Websites,
VoIP, DNS, Email or VPN’s) unavailable to users.
• Attacking computers are
typically compromised
PC’s known as
“zombies”. They attack
simultaneously from
many locations
• Attacks come in many
variations. These attacks
continually evolve to
outwit detection and
mitigation devices.
14
Thales e-Security | CONFIDENTIAL
What happens during a DDoS attack ?
ISPNull-route traffic without telling customer, refuse to carry
customer traffic
RoutersCPU goes to 100%, can’t ‘ssh’ into router, links go down
due to BGP failure
Firewalls100% CPU and packets get dropped, connection tables
fill, license limits hit
Application / DB
servers
Operation hang and
need re-booting
IPS / IDSHigh packet rates cause ‘choke points’. SIEM becomes
unresponsive
On-premise
scrubbers
Attack > capacity,
license limits hit,
false-positives
Cloud
scrubbing
Traffic ‘disappears’,
scrubbing capacity
limits
15
Thales e-Security | CONFIDENTIAL
You can now shop for DDoS …
Source: Gwapo's DDOS Service posted on Youtube
Greeted by courteous sales representatives
17
Thales e-Security | CONFIDENTIAL
Do’s and Don’ts
Current state
Prevent, detect, respond
Improve immune system
Work with trusted
partners
Determined attacker in a targeted environment can bypass
perimeter defenses
Line between external, partners and insiders getting blurred
=> Require assurance on security of all parties
End-user awareness is key, move away from “click now,
think later” mentality
Use technology and processes (eg. dual authorisation,
behaviour & intelligence) to monitor and enforce policy
Operations Technology and Information Technology needs
proper segregation
Rapid change in threat and technologies requires
professional help from experts
Prioritise what needs to be done
Cyber attacks are real and getting sophisticated
18
Thales e-Security | CONFIDENTIAL
The Balance
Availability
Accessibility
Responsiveness
Mobility
Safe
Verifiable
Consistent
Auditable
Operational perspectiveSecurity perspective
Following examples are taken from actual engagements
(clients’ identities hidden)
19
Thales e-Security | CONFIDENTIAL
Thank YouTalk to our professionals
to learn more…
Follow up Actions
Tel : +6016-2497882
Dr. Mohammad Shahir
www.thales-esecurity.com
Anupam Ratha
Director of Engineering
EZMCOM, Inc.
Part 2
Account Takeover (ATO) Hacking 101
EZMCOM Inc. | EIGHTH INTUITION SDN BHD
Anupam has fifteen years experience in the security and internetworking
domain of technology. He is Co-founder and Technical Director of
EZMCOM Inc., a company with razor sharp focus on Authentication &
Digital Signature solutions. Anupam has patents (US8868909 &
PCT/MY2006/000013) in the field of security and expertise in
Internetworking routing protocols, Digital Security, PKI, mobile platforms
and web technologies. He has a BS in Computer Science from Army
Institute of Technology in India.
Anupam Ratha
Director of Engineering
EZMCOM, Inc.
Golden Rules To Safety
1 EV SSL
“Look for the more visible green bar to ensure you are on the genuine site”
Golden Rules To Safety
2 SITE IMAGE
“Look for your chosen image and phrase to identify
genuine site”
Golden Rules To Safety
3 TAC/ TOKEN
“Read contents of SMS alerts carefully”
SMS TAC OTP TOKEN
“Do not share your TAC/ Security Code with anyone”
“So what’s causing this!”
A record-high 2.91 billion yen (US$24 million) was stolen in 2014 from Japanese bank accounts accessible through the Internet, about double the amount illegally taken the year before- The National Police Agency
Online banking fraud has exploded in 2014 with £29.3million worth of damage being done in the first six months, 71 per cent higher than at the same period last year.- Financial Fraud Action UK
CHOSE AN EXPLOIT MECHANISM
1. OWN THE USER
by getting a fraudulent mobile app OR exploited e-commerce website
2. INITIATE A PAYMENT
by luring the user to an attractive deal. Gain trust by showing the logo, personalized site image using MITM
3. INTERCEPT SMS/ MULE THE USER TO ENTER TAC/ OTP
using MITM and use TAC/ OTP for fraudulent purpose in real time