mfid whitepaper
TRANSCRIPT
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Multifactor authentication and access to IT Infrastructure
By
INNEFU Labs Pvt. Ltd
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Table of Contents
1. About Us................................................................................................................................................ 3
1.1 Credentials .................................................................................................................................... 4
1.2 Some of our Law enforcement clients ................................................................................................ 4
1.3 Corporate and PSU ........................................................................................................................ 4
1.4 Headquarters ................................................................................................................................ 5
2. Problem ............................................................................................................................................. 6
2.1.1 Internal dangers ........................................................................................................................... 8
2.1.2 External threats ............................................................................................................................ 8
2.1.3 Attractive targets ......................................................................................................................... 8
3. MFID – Multifactor Authentication ....................................................................................................... 9
3.1 Architecture ...................................................................................................................................... 10
3.2 Process .............................................................................................................................................. 13
4. Applications ......................................................................................................................................... 15
4.2 Intranet Applications / Other web enabled applications.................................................................. 15
4.3 Email Servers / Database Servers ..................................................................................................... 16
5. Features .............................................................................................................................................. 17
6. Advantages .......................................................................................................................................... 18
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
1. About Us
The world today revolves around information. Information today is the energy that plays a critical
role in our personal lives and drives our businesses. As we move further into this digital age, it has
become imperative to not just protect our information from outsiders but to also draw intelligence
from the vast amount information available to us.
Internet is the new playground for unwanted elements of society intent on committing terrorist or
espionage activities, financial frauds or identity thefts. Keeping this in mind, it has become
imperative to not only prevent these acts but also be in a position to intercept, monitor and block
Internet communication to draw intelligence out of them.
INNEFU is a research oriented Information Security consulting group specializing in meeting the
Information Security needs of the consumer via specialized products and services. We believe in
innovating and creating the latest technologies to combat the rapidly growing menace of hacking
and reduce dependency on human factors. We offer a complete gamut of Information Security
services under one roof which includes our patented products like 99% Secure - Cyber Cafe
Surveillance, Tactical Internet Interception, Multi Factor Authentication, Link analysis and Pattern
Matching and services like complete corporate security process management, web application
security and managed security services.
INNEFU specialization is Intelligence Gathering to prevent and investigate internet crimes. Our
patented products including Tactical Internet interception and E-Mail Tracking System have already
been used by Law Enforcement Agencies to investigate hacking attacks, gather intelligence, while
our Multifactor authentication (MFID) sytem integrated with Risk based Transaction Algorithm
ensures secure and failsafe online / credit card transactions by creating a dynamic password
everytime the user wishes to log in.
INNEFU’s clients include several Law Enforcement Agencies like NIA, NTRO, Jammu Police,
Ministry of Defense, Ministry of Home Affairs etc. We serve diverse industry verticals and the
prominent amongst them are BFSI, BPOs/KPOs, E-commerce, IT/ITES, Education, Telecom etc.
We follow a “Chinese Wall Policy” to ensure that clients’ identity and data are absolutely
confidential and accessed only by the onsite consultant and the project manager.
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
1.1 Credentials
Board of advisor consists of ex Army Officers and professionals from organizations
including Microsoft, Infosys, Dell, CISCO etc.
Tie ups with multiple academic institutions for R & D
R & D team consists of alumni of IIT Delhi, IIT Mumbai, IIT Kanpur
More than 5000 hrs in the field of Information Security consulting
The team has prior experience of working with organizations including Microsoft, Infosys,
Dell etc
1.2 Some of our Law enforcement clients
Ministry of Home Affairs
Ministry of Defense
Multiple state police departments including Delhi Police, J&K Police, Punjab Police etc
Economic offense wing
NTRO
1.3 Corporate and PSU
Bharat Electronics Ltd.
Central Bank of India
Intelliware Technologies
Dena Bank
Greater Mumbai Bank
And counting many more …….
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
1.4 Headquarters
AG -22, 2nd Floor,
Shalimar Bagh
Inner Ring Road,
New Delhi - 110088
A-2/24, Shakti Nagar Ext,
Delhi -110052, India
Phone - +91-11-47065866, 9313050131
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
2. Problem
“78% of all information security breaches are conducted by internal employees – CERT In statistics”
Organizations have established policies and architecture to enhance the
information security in their organization. They use policies and tools
such as anti-virus, firewalls, Unified threat management and multiple
security policies.
However, the architecture is more suited to perimeter security and
incapable of handling insider threats whereas organizations today can no longer afford to ignore
Information threats from within
“Internal fraud made up more than a quarter of the £1.19bn of fraud losses recorded in cases brought before UK courts in 2008”
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Fig.1 Probable IT Architecture of an organization
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
2.1.1 Internal dangers
Unlike external information threats, internal information breaches are multidimensional. The threats
vary from misuse of official email, copying confidential data or inserting backdoors into critical
applications. More importantly, these threats come from the most trustworthy of sources –
organization’s internal employees.
More than half of all this damage to information systems comes from authorized personnel who are
either untrained or incompetent. A fifth of the damage comes from dishonest and disgruntled
employees. An information breach by authorized personnel either intentionally or accidentally, can
cause irreparable damage to an organization.
2.1.2 External threats
The growth of Internet connectivity is drastically increasing the threat to information systems.
Today most systems are opened to access via TCP/IP connections from the wider Internet. Many
organizations also link their systems tightly with those of trading partners using virtual private
networks (VPNs) that increase the number of people allowed to access the systems.
In such a scenario, it is imperative for an organization to monitor the flow of Internet traffic both in
and out of the organization to monitor for websites visited, emails, chats, file transfers, videos,
audios etc.
2.1.3 Attractive targets
Most organizations are becoming the favorite targets of an amateur trying to hone his skills or a
skilled criminal trying to get sensitive information out of the organization. The aim is either to
embarrass the organization or sell the data to a competitor thereby making money out of it.
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
3. MFID – Multifactor Authentication
MFID or multifactor Identity Authentication is a system where a second factor of authentication
apart from the user name and password is required to authenticate the user and provide him access
to critical resources of the bank.
MFID authenticates and verifies the user based on –
User id and Password
A second factor of authentication which includes a registered mobile number and passkey
generator
The One time password is generated using a combination of multiple unbreakable encryption
algorithms. The algorithm generates an unbreakable one-time password every time the user logs
onto a DMZ (De militarized zone) as specified by the IT architecture. The algorithm is similar to
the one implemented by US Military Intelligence while providing access to their critical application.
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
3.1 Architecture
Fig.2 Authentication using Hard Token
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Normal authentication process
If user is not authenticated Client enters ID & Pwd
If correct, authenticates and redirects to website
Client Web Application/DB
Servers/Wi-Fi/VPN login page
Verification of ID
& Pwd
Data base
containing
user
information
Your application or website
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Authentication using Hard token
If user is not authenticated Client enters the ID & Password
If user is authenticated
Redir
If not authenticated User submits OTP.
If correct, authenticates and redirects to
protected content
Client Web Application/DB
Servers/Wi-Fi/VPN login page
OTP verification page
Verification of ID
& Pwd Data base
containing
user
information
verification
Your application or website
Hard Token
Generator
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
3.2 Process
Radius server will be used to –
o Authenticate the user
o Provide access to the user
The radius server will be integrated with AAA server for authentication of user using One
Time Password
Once the user is authenticated, the user request will be sent to the LDAP server
LDAP server will be used to provide authorization to the user
All applications will be integrated via LDAP
Multiple domains / virtual LAN’s will be created with users allowed access to other domains
based on authentication requests which will be forwarded to their own domains
Citrix / Juniper VPN will be installed on specific machines to allow clients to work from
home (if required)
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
Domain 1Domain 2
Radius Server Radius Server
1. Web Applications2. Intranet Applications3. Email Servers4. VPN5. Database Servers6. Employee Attendance7. WiFi / LAN Network
Desktops / Laptops will log onto Web based VPN
AAA Server
AAA Server
LDAP Server
Fig.3 Architecture for Secure Single Sign On
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
4. Applications
The following applications will be integrated within this architecture –
4.1 Remote Access / Virtual Private Network (VPN)
Salespeople, care workers, engineers and traveling executives need secure access to the corporate
network while ‘on the road’. These users demand the most flexible range of access methods
including the following.
• VPN over wireless, whenever their laptop can connect to a WiFi hotspot
• VPN over a broadband connection from a laptop when at home
• Web access to email and other Web-enabled applications from an Internet café or other
insecure PC
These users must be able to use a single set of secure authentication credentials at all of the access
points that the enterprise has enabled.
4.2 Intranet Applications / Other web enabled applications
Specific individuals need to be granted deep and broad access to core business systems, typically
through Web portals. They need to be securely authenticated; it is no longer sufficient to rely on just
the IP address of the remote network to validate identity.
These individuals may be logging in from any Web-enabled system: a corporate desktop or home
PC, for example. And so, there should be no requirement for two factor authentication of the client
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
4.3 Email Servers / Database Servers
Social engineering and Phishing attacks are used by hackers rampantly to hack into user accounts
passwords. The non aware users fall prey to these attacks and end up passing their passwords to
hackers, colleagues or other users.
Information inside users mails or database servers can cause immense harm to the organization, and
as a result has to be protected. With two factor authentication, it becomes impossible for the hacker
or a user to impersonate another’s credentials. This provides unbreakable security to the
organization from phishing, social engineering or other hacking attacks
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
5. Features
o Single Sign on access – The user will only have to authenticate himself once to be
allowed secure access to all applications authorized to him including mails, intranet
applications etc
o Dual authentication based on One Time password – This will ensure that the
user and the organization is hundred percent protected from identity theft
o Authorization to access limited applications – The user will only be allowed
access to limited applications. Only authorized viewers will be allowed access to
critical IT Network
o Allowing employees work from home options in a secure and modulated
environment – Virtual Private Network will be installed for all users to allow work
from Home policy which may be implemented by any organisation
o Platform Independent Authentication Mechanism
o Security from Identity theft – A dynamic One Time Password will ensure that the
organization is safe from bouts of phishing attacks
Information Security at its best
Phone Numbers - +91-11-27476211-10, 47065866
Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India
6. Advantages
Your user gets:
Easy access to resources
No extra codes to remember.
Use whatever mobile phone, device they wish.
Works worldwide
Your IT staff gets:
Zero user administration.
100% integration with Microsoft AD.
Integrate with firewalls through RADIUS.
Seamless Integration with current setup
100% control of 'who can access my system'.
No deployment of devices or software to users.
Works world-wide.
Your CIO gets:
Simple price setup
Test for free before investing
Less user administration
Better use of the IT systems you all ready have
You know who can access your system - and when!
Easy Logs maintenance for future analysis