Sunday, October 27, 2019
Principles of Information Security
Principles of Information Security    Purpose:In order to protect against accidental or intentional damage or loss of data, interruption of College business, or the compromise of confidential information we must classify data and establish minimum standards and guidelines to ensure a secure system.  Effective from: 02/02/17  Scope:  This policy must be applied to all of the following: students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to confidential information through the Modern College of Business and Science its affiliates/partners.  Responsible Party:    Database Department  Information Technology Support Department    Terms of Reference:Access  Any personal inspection or review of the confidential information or a copy of the confidential information, or an oral or written account of such information.  Confidential Information  Information identified by the applicable laws, regulations or policies as personal information, individually identifiable health information, education records, personally identifiable information, non-public personal data, confidential personal information, or sensitive scientific or sponsored project information.  Data  Information generated in official College business. Information that is personal to the operator of a system.  Disclosure  To permit access to or release, transfer, distribute, or otherwise communicate any part of information by any means  Incident  A possibly reportable episode that may incorporate, however is not restricted to, the accompanying:   Attempts to increase unapproved access to frameworks or information;   Undesirable disturbances or Denial od Service;   An infection spreading;   Burglary, abuse or loss of electronic gear containing private data.   Unapproved utilization of frameworks for handling or information gathering   An office or unit cant dispose of confidential of paper information in a proper manner.   Unapproved changes to framework equipment, firmware and programming.  Policy Statement:   The Modern College of Business and Science must aim towards making a safe environment for all in terms of data confidentiality and personnel. Information Security professionals must employ techniques which can prevent any threat from exploiting any vulnerability as much as possible. Threats could target privacy, reputation and intellectual property along with lots of other data.  Data Classification   In order for the policy to be entirely effective and be able to know which data protect the data must be classified into 3 categories    Category 1  Data that can be freely distributed to the public.  Category 2- Internal data only not meant for outsiders.  Category 3- Sensitive internal only data that could affect operations if disclosed to public.  Category 4- Highly sensitive internal data that could put an organization at financial or legal risk if disclosed to public.    Security Prevention Measures   Security prevention measures ensure security and prove comfort for the business and also the customers. Prevention measure could consist of many things.    Existing Security Measures.    Access control which ensure only allowed users granted permission to access the database may do so. This applies to accessing, modifying and viewing the data.  Frequent SQL input validation tests are conducted in order to ensure no unauthorized users can access the database.  Three separate cloud based servers are available, two of which are for back up purposes this ensures the availability of the data in the case of the intrusion on one of the servers.  All servers are backed up daily.  Database auditing is frequently conducted.  Database log files are frequently checked to observe in case of any malicious activity.  All database security is managed by a third party in order to ensure maximum security.  In order to avoid Denial of Service (DOS) attacks which could affect the availability the web applications are put on different servers.  Role-Based Control is used in order to make sure employees can only retrieve content from the database that they are authenticated and authorized to.  Discretionary access control is only permitted to the database department as no other faculty or staff needs access or is permitted to access.    Flaws which need reviewed     Password policy is not implemented strictly to students which can result in the compromising of an account.  Solution: Password Policy MUST be applicable to all therefore, database department must make it mandatory.    No honeypotting is available.  Solution: The necessary equipment and software should be purchased for this to be done. This will help the College avoid attacks in the case of SQL injection or any other database attack.    No digital certificates are utilised when messages are sent across the website.  Solution: Create system to have to send digital certificate/signature to ensure a better level of security.    No certified security professionals are currently employed.  Solution: Raise issue to Human Resources as a matter of concern and seek the hiring of a professional or train existing staff.    Lack of awareness among staff and faculty regarding security in general.  Solution: Conduct training for faculty and stuff on how to spot basic threat and potential intrusions etc.    *After these flaws are fixed, policy MUST be reviewed and updated.  iii) Added Policies    Conduct penetration testing frequently and Risk Assesment, report must be generated, reviewed by Chief Information Security Officer (CISO). Vulnerabilities must be fixed.    In the case of an incident CISO must be informed to take necessary action. Any employee failing to do so shall face disciplinary action.    Database MUST use views rather than tables no ensure security, all entries must be predefined queries.    Database remote access and other distance access must not be enabled by blocking ports such as the telnet port, FTP and others.    Database password MUST be updated ever fortnight to ensure security of the password.    Password strength policy must be implemented for the database ( min 8 characters, capital  small, numerical, special characters).    Back Ups must also be done offsite and not only on the cloud.    Backing up data of Category 3  4 as mentioned above must also be done on a certain specially encrypted drive and separate from normal back ups.    Group Responsibilities  All the members of the College are responsible some extent of the security of their own data and other things. Below is what each group of individuals is responsible for.  A.  Custodians are responsible for:  1. Information Security Procedures Establishment  2. Managing authorizations  3. Recordkeeping.  4.  Incident handling and reporting  B.  Users are responsible for:  1. Abiding the College IT policy  2. Physical security  3. Information storage  4. Information spreading and sending  5. Method of disposal of info and devices  6. Passwords  7. Computer security  8. Remote access  9. Logging off  10. Virus and malicious code protection  11. Backups  12. Incident handling and reporting    C.  Managers are responsible for:    1. All what users are responsible for  2. All that the custodians are responsible for  3. Sharing responsibility for information security with the employees they supervise  4. Establishing information security procedures  5. Managing authorizations  6. User training and awareness  7. Physical security  8.  Incident handling and reporting    D.  Information Service Providers are responsible for:    1. More extensive information security requirements than individuals  2. Establishing information security procedures  3. Physical security  4. Computer security  5. Network security  6. Access controls  7. Passwords  8. Contingency planning  9. Incident handling and reporting   Administrative Responsibilities    A. The CISO should always be monitoring the colleges database security system to ensure no flaws or loopholes and should propose tools or mitigation strategies. S/He must do the following:    1. Creating, reviewing, and revising policies, procedures, standards.  2. Ensuring security training and awareness.  3. Overall authority for College networks and systems security.  4. Incident handling, remediation, and reporting.  5. Collaborating with the Office of Internal Audit to ensure policy conformance.  Enforcement  Implementation   The required actions mentioned in the policies and rules must be carried out from the effective mentioned above, those who fail to comply and follow this policy shall face disciplinary action. This policy must be strictly implemented.    Principles of Information Security  Principles of Information Security    Man in the Middle and Man in the Browser Attacks on Financial Institutions.     Abstract  Four decades ago, what started as a US military research initiative to build network for linking US universities and research centers is now the Internet. Today it has expanded to every corner of the globe (Privgcca, 2016). The number of Internet users has risen from few computer scientists to 3.17 billion users. It has helped in reducing costs of communication as one can easily be in touch and communicate with each other with the help of chatting, email applications and online transactions/payments (Friedman, 2014). It has also helped organizations to offer better customer service, reduce amount of paper work, increase productivity, and enable customers to perform enquiry and transactions anytime and from anywhere. This paper will be focusing on the importance of online banking/transaction security.  Introduction  Banking organizations have been developing for years in a broad scope and have started to replace more traditional banking techniques in certain fields such as processing cheques, making transactions and money transfers to online, therefore; payment systems are constantly undergoing radical changes. More security measures are present but the users of these systems must also be allowed decent compatibility. Due to the amount of modern day threats these banks have also been facing a vast amount of risk and vulnerability exploitations, banks are usually very concerned about two kind of attacks, man in the middle attack (MITM) and man in the browser attack (MITB). As a result, financial institutions must ensure to provide effective authentication techniques. These two attacks (MITM and MITB) will be the main concentration and the focus of the analysis will on these attacks as well.  The Two Common Attacks.   The Man in The Middle and Man the Browser are the very predominant attacks in the finance industry. The difficult part is identifying each type of attack and taking precautionary measures from either attack. MITM occurs when a hacker can see and modify the communication between the client and the bank, it makes both parties believe they are directly communicating with each other to deceive but there is usually an attacker eavesdropping. Therefore, this is very common on unsecured and unprotected networks. On the other hand, MITB uses malware to infect a web browser. This is done by the malware exploiting vulnerabilities in the browser security which enables them to modify and manipulate the page.  Getting Technical, MITB vs. MITM  One of the few important differences between these two attacks is that MITM attacks operate at the network layer whereas MITB operate on the application there, in this case on the web browser. Although MITM attacks remain popular attackers prefer MITB as banks may use sessions IDs to identify MITM attacks. Using session IDs banks can determine whether there has been malicious activity during a transaction and notice the fraudulent attempt and consequently cancel it. By giving the customers device a unique ID, the bank can then use algorithms to analyze and link the multiple user sessions from where they typically perform their banking (Eisen, 2012). MITB attacks are a lot more deceitful, they completely take control over the users website and control the browser while the user thinks everything is normal. The attackers in this scenario alter web views and account balance without the users knowledge. Once the user logs in they can also redirect any sensitive traffic to an attackers sy   stem, while keeping the original SSL/TLS protections intact (Trusteer, 2013).    MITB  People are very commonly exposed to the risk of these attacks due to the browser security problems in the case of MITB browser extensions are frequently the malware which allows the attacker to exploit the vulnerability. Browser extensions are frequently portrayed as useful software which enhance user experience but is malicious software or code. This is known as a Trojan. Browser extensions may be plugins, Browser Helper Objects (BHO), JavaScript and add-on features.  The functionality of BHOs is usually to provide add functionality to a browser these could be written by the attacker with programming experience. The problem with BHOs is that they can hide from antivrus this makes them undetectable. In a MITMB attack these are used to change a site, add fields, remove fields. They also can add registries to the system and load at booting (Utakrit, 2009).  Grease Monkey is a popular add on for chrome which can allow a user to change the appearance of a website or eliminate ads. This JavaScript is not malicious but it uses the same methodology as the malicious JavaScript applets. The danger of add-ons is that they can easily monitor and retrieve the users information at any time.  SSL has been thought of as a solution by some security experts for MITB attacks but even this control has been proven to be ineffective. The reason for this is that the attacker injects or gives the user a Trojan which carries out malicious activities directly inside the browser. Therefore, no suspicious activity is detected.  MITM  MITM are less common as security professionals have learned ways to mitigate the attacks that use this method. It is also widely known as session hijacking. In this case, the attacker usually seeks vulnerable hotspots or networks. The attacker would usually direct the victim to a fake login page of a website (perhaps a phished paged) and then get the credentials as soon as they are authenticated. The attacker could then simply access the account and withdraw money or make transactions. Security measures such as the OTP are not effective as defense against this attack as the attacker could fraudulently capture the temporary password and forward it on the portal in the 30  60 seconds provided. In this attack the main issue is that the user has no way of being sure or verifying who is asking for information. As a result, two step verification is also considered vulnerable.  Protective measures.  The security triad which is an important principle to security experts evolves around three elements. C- Confidentiality, this means do not allow unauthorized individuals to access or see data or systems. A- Availability, which means ensure the system/data is available when needed. I- Integrity, if data or a system or in this case a transaction it loses its integrity which means it has been manipulated with. In the case of transactions, Integrity is a very important principle. Banks and financial institutions need to always ensure the integrity is maintained. By doing so, we need to implement controls, also known as countermeasures.  User Protection Strategies and Controls   MITB  In order to minimize these attacks the knowledge has to be known on either side of the equation, the users should be aware as well as the bank. Users can take precaution by installing anti virus, although not entirely effective it does depend on the detection capability and reduces the chances. Secondly, use a hardened browser in a USB drive, this will provide moderate protection. Thirdly, only do online banking with banks who are aware of these kinds of threats and implement countermeasure. Ultimately there is risk in every procedure, unless you are will to completely not use online banking there will always be risks and threats.  MITM     Mitigation for Banks.   MITB  As previously mentioned, attackers have also learned how to compromise two step authentication as well the same also applies to captcha and others. The malware can simply wait till the user has authenticated himself. It can also intercept and modify response when using SSL or encryption. Moderate protection could be offered by the bank itself providing clients with Hardened Browsers on USBs containing cryptographic smart tokens for authentication. The hardened browsers are harder to infect. Similarly, OTP token with signature would be effective, the user would have to re-enter the transaction details to the OTP device and then it could generate a signature based on that in that way it would not match if the MITB alters the request, this is also rather inconvenient. Fraud detection based on transaction type and amount is also sometimes effective, in the case of an abnormal transactions some banks call the client to check if it is genuine or not. User profiling could also be used.  MITM      
Subscribe to:
Post Comments (Atom)
 
 
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.