joint presentation - part 1: the future evolution of e-banking & cyber security & part 2:...

www.thales-esecurity.com

Dr. Mohammad Shahir CISSP, CEng

Senior Security Consultant

Part 1

The Future Evolution of E-Banking &

Cyber Security

2

Thales e-Security | CONFIDENTIAL

Twitter @Blackcat

LinkedIn Shahir Majed Shikh

2

Speaker Profile

Dr. Shahir has 11 years of IT security experience and knows the

Malaysian security market. He is considered as a security evangelist in

the Malaysian market. He was previously attached with MIMOS, T-

Systems and Hewlett Packard focusing on Internet of Things,

Embedded Security Platform on System Engineering, Security

Assessment and Consulting. Dr. Shahir was responsible for the delivery

and support of security professional service to enterprise customer

including McAfee, HP, Royal Dutch SHELL, British American Tobacco

and several multinational banks on security solutions / services as

Systems Security Engineering, Network Security Design, PKI

Infrastructure and Integrated Operation (IO as a service). He is a

professional member of IEEE & IET.

Dr. Mohammad Shahir

Senior Security Consultant

Thales E-Security

3


By the end of the session, participants will

• Understand the cyber attack threats that organisations are

facing

• What are the threats ?

• Who are the attackers ?

• How do attacks happen ?

• How to prevent and prepare for the unknown ?

• Talk knowledgeably and confidently on the subject

Objectives & Key Results

4


"We know hackers steal people's identities and infiltrate

private e-mail.”

“Now our enemies are also seeking the ability to

sabotage our financial institutions. We cannot look

back years from now and wonder why we did nothing in

the face of real threats to our security and our economy.”

Cyber Security is Making Headlines

President Obama in his State of the Union address 2013

5


What is happening in the field ?

RSA 2011

IP Theft Hi-Tech

DigiNotar 2011

>500 Fake Certificates

Issued

PKI

Target 2013

40M Credit Card Data, 70M PII Retail

JPMorgan Chase 2014 76M Household and 7M Business Data

Bank

Major Banks in US 2012

Web presence affected under DDoSBank

?

6


Data Breaches: Threat Motives, Actors & Costs

Sources :

Dell SecureWorks Report 2014; McAfee Report 2013; Symantec Report 2014;

Ponemon Institute 2014; HSBC Annual Report 2013;

35%incidents

75%Identities breached

Hacking

$145Per compromised

record

>3%Annual profits of

US$22.6B

Costs >$780m if 10% of 54M

customers record

breached

$4-80Per credit card,

varies with types,

countries

2-4%Account balance

Black

Market

Rate

7


Losses from Different Forms of Cyber Attacks

Malicious code, DDoS, Web-based attacks account for the highest losses

Source: Ponemon Cost of Cybercrime US Study 2013

Company size >13,882 staff Company size ≤13,882 staff

8


How do attacks

happen ?

9


Unsuspected employee

Phishing emails

Zero day exploits

Malicious code to create backdoors

Anatomy of RSA Data Breach : (1) Spear-phishing

Malware

Payload

1. The .xls file contained an exploit

through an Adobe Flash zero-day

vulnerability that installed a backdoor

using a Poison Ivy RAT variant set in

a reverse-connect mode

Sources : EMC, TrendMicro

Combination of

10


Anatomy of RSA Data Breach : (2) Malicious Codes Infection

Fir

ewal

l

Fir

ewal

l

1. Infected PC reaches out

to the command and control

centre, evading IPS/IDS

detection

2. Attacker moved laterally to

identify users with more

access and admin rights to

relevant services and

servers of interest

Infected PC

3. Data Exfiltration

Sources : EMC, TrendMicro

Malware

Command

& Control

Centre

Servers containing

company secrets

Malware

Payload

11


Anatomy of Target Data Breach

Source : IBM

12


SQL Injection – Illustrated

Fir

ewal

l

Hardened OS

Web Server

App Server

Fir

ewal

l

Dat

abas

es

Leg

acy S

yst

ems

Web

Ser

vic

es

Dir

ecto

ries

Hum

an R

esrc

s

Bil

ling

Custom Code

APPLICATION

ATTACK

Net

wo

rk L

ayer

Ap

pli

cati

on L

ayer

Acc

ounts

Fin

ance

Ad

min

istr

atio

n

Tra

nsa

ctio

ns

Co

mm

unic

atio

n

Kno

wle

dge

Mgm

t

E-C

om

mer

ce

Bus.

Fu

nct

ions

HTTP

request

SQL

query

DB Table

HTTP

response

"SELECT * FROM

accounts WHERE

acct=‘’ OR 1=1--’"

1. Application presents a form to

the attacker

2. Attacker sends an attack in the

form data

3. Application forwards attack to

the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334

Acct:4128-7574-3921-0192

Acct:5424-9383-2039-4029

Acct:4128-0004-1234-0293

4. Database runs query containing

attack and sends encrypted results

back to application

5. Application decrypts data as

normal and sends results to the user

Account:

SKU:

Account:

SKU:

Source : OWASP

SQL is responsible for the attack at Heartlands and SONY, both

incidents resulting in compromise of >100M card records

13


DDoS (Distributed Denial of Service)

DDoS is an attempt to make ANY Internet facing systems (Websites,

VoIP, DNS, Email or VPN’s) unavailable to users.

• Attacking computers are

typically compromised

PC’s known as

“zombies”. They attack

simultaneously from

many locations

• Attacks come in many

variations. These attacks

continually evolve to

outwit detection and

mitigation devices.

14


What happens during a DDoS attack ?

ISPNull-route traffic without telling customer, refuse to carry

customer traffic

RoutersCPU goes to 100%, can’t ‘ssh’ into router, links go down

due to BGP failure

Firewalls100% CPU and packets get dropped, connection tables

fill, license limits hit

Application / DB

servers

Operation hang and

need re-booting

IPS / IDSHigh packet rates cause ‘choke points’. SIEM becomes

unresponsive

On-premise

scrubbers

Attack > capacity,

license limits hit,

false-positives

Cloud

scrubbing

Traffic ‘disappears’,

scrubbing capacity

limits

15


You can now shop for DDoS …

Source: Gwapo's DDOS Service posted on Youtube

Greeted by courteous sales representatives

16


What have we learned ?

What can we do about them ?

17


Do’s and Don’ts

Current state

Prevent, detect, respond

Improve immune system

Work with trusted

partners

Determined attacker in a targeted environment can bypass

perimeter defenses

Line between external, partners and insiders getting blurred

=> Require assurance on security of all parties

End-user awareness is key, move away from “click now,

think later” mentality

Use technology and processes (eg. dual authorisation,

behaviour & intelligence) to monitor and enforce policy

Operations Technology and Information Technology needs

proper segregation

Rapid change in threat and technologies requires

professional help from experts

Prioritise what needs to be done

Cyber attacks are real and getting sophisticated

18


The Balance

Availability

Accessibility

Responsiveness

Mobility

Safe

Verifiable

Consistent

Auditable

Operational perspectiveSecurity perspective

Following examples are taken from actual engagements

(clients’ identities hidden)

19


Thank YouTalk to our professionals

to learn more…

Follow up Actions

Tel : +6016-2497882

Dr. Mohammad Shahir

[email protected]

www.thales-esecurity.com

Anupam Ratha

Director of Engineering

EZMCOM, Inc.

Part 2

Account Takeover (ATO) Hacking 101

EZMCOM Inc. | EIGHTH INTUITION SDN BHD

Anupam has fifteen years experience in the security and internetworking

domain of technology. He is Co-founder and Technical Director of

EZMCOM Inc., a company with razor sharp focus on Authentication &

Digital Signature solutions. Anupam has patents (US8868909 &

PCT/MY2006/000013) in the field of security and expertise in

Internetworking routing protocols, Digital Security, PKI, mobile platforms

and web technologies. He has a BS in Computer Science from Army

Institute of Technology in India.

Anupam Ratha

Director of Engineering

EZMCOM, Inc.

ONLINE BANKING

IPS

IDS

WAF

HARDENING

PATCH

MANAGEMENT

HOST

BASED FIREWALL

PHISHING

MONITORING

Online Banking:

“Golden Rules to Security”

Golden Rules To Safety

1 EV SSL

“Look for the more visible green bar to ensure you are on the genuine site”


2 SITE IMAGE

“Look for your chosen image and phrase to identify

genuine site”


3 TAC/ TOKEN

“Read contents of SMS alerts carefully”

SMS TAC OTP TOKEN

“Do not share your TAC/ Security Code with anyone”

“So what’s causing this!”

A record-high 2.91 billion yen (US$24 million) was stolen in 2014 from Japanese bank accounts accessible through the Internet, about double the amount illegally taken the year before- The National Police Agency

Online banking fraud has exploded in 2014 with £29.3million worth of damage being done in the first six months, 71 per cent higher than at the same period last year.- Financial Fraud Action UK

Online Banking:

“So Where’s The Problem”

SO WHERE’S THE PROBLEM!

HERE

AND

HERE

SECURITY IS NO STRONGER THANK ITS WEAKEST LINK

“So here is how an attacker will exploit the weakness”

The Problem

1 THE $ LURE

$

$

The Problem

2 THE ‘WEAK’ ENTRY POINTS

The Problem

3 LEVERAGE THE ‘TRUST’ FACTORS

CHOSE AN EXPLOIT MECHANISM

MAN-IN-THE-MOBILE (MITMo)

CHOSE AN EXPLOIT MECHANISM

1. OWN THE USER

by getting a fraudulent mobile app OR exploited e-commerce website

2. INITIATE A PAYMENT

by luring the user to an attractive deal. Gain trust by showing the logo, personalized site image using MITM

3. INTERCEPT SMS/ MULE THE USER TO ENTER TAC/ OTP

using MITM and use TAC/ OTP for fraudulent purpose in real time

DEMONSTRATION

LIVE DEMONSTRATION

joint presentation - part 1: the future evolution of e-banking & cyber security & part 2:...

Technology

security assessment

security experience

security vendor

security evangelist

systems security engineering

banking cyber security

malaysian security market

network security design