Thursday, November 28, 2019
White paper on Information security systems free essay sample
Over the past decade Panther Industries has been providing banks worldwide with safe banking solutions and protection against cybercriminals. However with 128 million malware programs written each year1, banking institutions are only becoming more vulnerable to the threats of cyber-attacks. So it is no surprise that Panther Industries ââ¬â a world leader in web-banking technology has itself become a target of these emerging threats. More specifically our systems have recently faced attacks from two newer forms of security threats namely ââ¬ËMan in the browserââ¬â¢ (MITB) and ââ¬ËMan in the middleââ¬â¢ (MITB) ââ¬â two Trojan horse type programs. These two threats work by altering the confidential banking data of the users and Panther Industriesââ¬â¢ security mechanism. MITB has targeted the two most widely used browsers ââ¬â IE and Firefox by modifying their web assembly structure and stealing user information such as passwords. MITM implements a similar technique of ââ¬Ëphishingââ¬â¢ by intruding verification and redirecting bank customers to a counterfeit server which captures the sensitive information. We will write a custom essay sample on White paper on Information security systems or any similar topic specifically for you Do Not WasteYour Time HIRE WRITER Only 13.90 / page To retain clientsââ¬â¢ confidence in Panther Industries strong authentication and transaction verification techniques need to be implemented to prevent fraud and identity theft. This white paper details the nature of MITB and MITM attacks and their ability to intercept and modify an online banking transaction. As a protection against these threats this paper also offers as a solution the use of mobile phones and personal digital assistants (PDAs) as software tokens to generate unique Digital Signatures that will lend security and authenticity to browser-based transactions. With the ever-increasing advancements in next generation mobile commerce and smartphone technology, this solution is not only secure but also convenient. Another solution proposed in this paper is the creation of VPS or Virtual Private Sessions wherein the server sends a confirmation to the user which the user must approve for the transaction to be processed. 2. System Description The software architecture at Panther Industries is designed to provide stable enterprise functionality with a host interface that integrates with a back-end with in real-time. This architecture provides the convenience of defining and executing business functions through more than one customer channels. The first tier of the software architecture is the user interface which is simply the web browser such as IE or Firefox used by the bank customers to sign-in to their online banking account. Our banking clients require no special installation for this. The second tier is a PHP based secure application server that offers enterprise level application. At Panther Industries PHP and not HTML was chosen for scripting as it is the most popular web development language which is used and recommended by IBM, Oracle, HP and many other technology leaders. PHP is a simple, flexible yet powerful and accessible programming language suited for coding and executing web applications. At Panther Industries PHP has been the lead scripting language used for integrating banking functions and data from a range of existing systems and applications. The third tier consists of a database server which Panther Industries has developed per ANSI 92 industry standard to be deployed on highly scalable database engines such as Oracle and MySQL. The software platform finds three ways of deployment namely centralized, distributed (inside) and distributed (outside). In the centralized form of deployment, the central database could be accessed via a single point with the same control panel for all system administrators and bank managers. When deployed as distributed (inside), the system supports head offices as well as branches. The system administrator module, back office and the primary servers ââ¬â application server and database server are located in the head office with each branch retaining its own copy. In the database (outside) type of deployment the two primary servers are installed on the tenanted facilities and on the network of the data center which is located outside the bank. This use of this software platform at Panther Industries is two-fold. It is used by personal and corporate clients as well as the bank employees. The client registration process consists of two stages. The first stage is the preliminary registration wherein the client fills out the personal details on the registration page which generates open and private keys for further use. Upon acceptance of the bank service agreement the clientââ¬â¢s user account is made active by the administrator. From that point on, the client can access and analyze various banking documents online. All the documents and records accessed by the client are archived and business continuity is ensured as per the service agreement. The system permanently removes all of the clientââ¬â¢s financial information in case the service agreement is terminated. The other users of this are the bank employees namely the System Administrator (SA), Branch Administrator (BA), Bank Manager (BM) and Technical Administrator (TA). The SA acts as the supervisor for the system by registering all the bank employees and managing the user accounts. The control panel provides the SA with analytical and statistical reports about the bank activity. The BA administers the managers and clientsââ¬â¢ user accounts, assigns a bank manager for each account and schedules and synchronizes system operation. The BM is primarily responsible for processing clientsââ¬â¢ financial documents, check for the accuracy of clientââ¬â¢s activity and respond to client requests via mail. The TA is responsible for the overall monitoring, administrating and configuring the system. 3. System Strengths and Weaknesses 3. 1 System strengths The software architecture at Panther Industries is designed to provide stable enterprise via a robust front-end architecture and with real-time integration with back-end systems via a host interface. To proactively manage cyber-security risks Panther Industries provides its clients with the following security tools: 1. Data encryption: Latest encryption techniques such as 128-bit Secure Socket Layer (SSL) are followed to ensure a secure transmission of data. 128-bit SSL ensures that the customer is communicating with the bankââ¬â¢s website and not another computer impersonating the customer. This type of encryption also scrambles the sensitive data so that it cannot be read by hackers. At 128 bits, the data can be encrypted using 288 times the number of combinations as compared to a standard 40-bit encryption making this encryption a trillion times stronger5. Panther Industries provides the technology to our clients to offer this encryption to 99. 99% of their customers. Lastly 128-bit encryption ensures that no data was altered or tampered with during transmission. 2. Session handling: To heighten cyber-security, Panther industries also provides its clients with session handling wherein the application server creates and assigns a new and unique session id after a successful user authorization. In this technique the session identifiers ensure that can each customer is working with their own financial information. 3. Logging: Via this technique Panther Industries provides its clients an ability to log all customer and employee activity such as IP addresses, sessions etc. The log history generated via this technique provides for efficient supervisory and archival control. 3. 2 System weaknesses Despite of the strong security measures it provides, the system suffers from some weaknesses which can result in a compromise of customerââ¬â¢s financial data. More specifically the system is not secured against most recent and emerging threats as we have experienced recently ââ¬â the MITB and MITM referenced in section 1. These two forms of attacks bypass the authentication measures by installing a false sense of security. What makes these hard to detect is the fact that they use authenticated sessions to piggyback on. The authentication techniques used at Panther Industries can successfully prevent attacks wherein hackers are trying to impersonate or are trying to steal identity. But since authenticated sessions are used by hackers that deploy MITB or MITM, our authentication techniques cannot prevent these forms of attacks. Another characteristic of these attacks is that they relay legitimate verified credentials in the real-time. Since these are validated credentials, they are able to successfully fool the user-session tokens created on the server. This technique buys the hacker 30-60 seconds ââ¬â enough time to steal sensitive information such as passwords. 4. System protection options To provide our banking clients with a robust approach to tackle these emerging threats, we have outlined a few protection options in this section. 4. 1 Protection from Man-In-The-Browser attack 1. Digital signatures: To offer protection to the customers from a Man-In-The-Browser attack we need to (i) ensure the integrity of the transactional data between the bank and the customer and (ii) offer a higher degree of authentication to the transactions. So to successfully curb this form of attack we need to discontinue the use of a browser as a means to conduct transactions and even detect the variation in the transactions. This will take away the medium that hackers use to mount the attack in the first place. This can be achieved by offering digital signatures which can be used to sign digital PDF forms rather than conventional web-based HTML or PHP forms. So when the customer clicks the submit button the information travels via a PDF form which is digitally signed by him. The submitted information, therefore, is never exposed to the browser environment and therefore cannot be intercepted by the MITB technique. 2. Creation of Virtual Private Sessions: As the name suggests Virtual Private Sessions (VPS) are virtual sessions created with the end-user wherein the server alerts the user of any modifications made to a transaction. The transaction goes through only if the user approves it. The duration of such a session is very small and expires in 30 seconds, which doesnââ¬â¢t give the interceptor enough time to capture, alter or modify the data. 4. 2 Protection from Main-In-The-Middle attack To prevent the MITM attacks we propose the use of Public Key Infrastructure (PKI) technology. In this technique, a challenge protocol is used to ensure a safe and authenticated transaction between the customer and the bank portal. The challenge protocol helps the PKI to validate the website which is requesting the authentication is the bankââ¬â¢s website which issued them in the first place. This validation is done automatically and will thwart any username and password requests made via an unverified URL. 5. Risk mitigation strategies The risk management strategies to mitigate any risks that arise from the MITB and MITM attacks primarily consist of educating our client about the constantly changing landscape of the cyber-security for online banking operations and the solutions that we offer via our technology. This will help the banking institutions that use our software platform to have a clear strategy in offering their customers a safe and secure online banking experience. The checklist should include the following best practices for online banking for the bank employees to prevent fraud: (i) Most current versions of anti-virus programs as well as firewall should be installed on all computers. (ii) A designated network engineer should be tasked with the responsibility of regularly updating the bank software (iii) Disable the services and / or conduits that are not in use (iv) Provide limited access to the internet to abate the risk of connecting to a malicious website (v) Not all employees should have the ââ¬Ëadministrator privilegesââ¬â¢ on the computers. Such privileges should only be granted to system administrator or higher management. (vi) Make sure that the employees have scanned their mobile devices before connecting them to the banking software. (vii) Bank employees should make use of an email client that block the most commonly used email attachments which are used by hackers to install a malware on any computer. (viii) A reputable pop-up blocker should be installed on all computers. (ix) Internal bank documents used by employees are always the most recent and virus-free. (x) Unusually high transactions should be immediately brought to the attention of upper management. (xi) Banks should encourage their customers to check their account balance daily so that they can detect any suspicious transaction on their account at an early stage. (xii) Ensure that all bank employees have a high-level of awareness and follow good security practices overall. 6. Conclusion We need to acknowledge the sophistication of the Man-In-The-Browser (MITB) and Man-In-The-Middle (MITM) attacks that clients of Panther Industries can face. Despite the secure authentication and encryption techniques that Panther Industries has developed, these malware programs can steal identity and create a financial fraud in the banking sector by combining a Trojan horse program with phishing. To retain our clientsââ¬â¢ confidence, Panther Industries has to develop new technologies to stay a step ahead of these cyber-threats. To counter the threats presented by MITB and MITM, Panther Industries should provide its clients with multi-tier authentication and digital signature technology described in section 4. The digital signature is created by encrypting the customerââ¬â¢s private key and associating the transactional data with it. The bankââ¬â¢s system validates the same and compares it with the userââ¬â¢s decrypted public key and authorizes the transaction. All in all clients of Panther Industries stand to benefit a lot by deploying the solutions outlined in this white paper while still offering the current ease use for their customers. 7. References
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.