Security in The Age of Digital Mobile Banking & Online Banking Fand Fa ndhy hy H. Si Sire rega garr, M. M.Ko Kom m CISA, CISM, CIA, CRMA, CISSP, CISSP, CEH, CEP-PM, QIA, COBIT5, CRISC, CGEIT*
Digital Banking Penetration
Affluent and younger consumer segments have led the adoption of digital banking services in the ASEAN markets we surveyed, with the exce tion of Singapore, where use of digital banking is nearly universal
Source: McKinsey Asia Personal Financial Services Survey, 2014 Source: McKinsey: Digital Banking in ASEAN: Increasing Consumer Sophistication and Openness
7.2x
Digital Banking Customer Perception
Source: McKinsey Asia Personal Financial Services Survey, 2014
IBM Security Intelligence Index 2015
Financial & Insurance companies are still facing the biggest threats.
Source: IBM Security
The Challenge Ahead
’ capabilities to detect with capabilities to deliver the attacks
The defender-detection deficit (range in one-day) Source: Verizon Data Breach Investigation Report
Do you have Dark Web threat agents internally?
Who are the bad guys? Source:IBM Security
Dark Web: How does it look like?
Data Populations
90% 7.9 Zetta bytes
Source: Deepwebtech.com
Visible to Browser
3% Un-indexed, Anonymous TOR/I2P hashed table system to hide database information
Cyber Kill Chain The Sooner The Better
1 Reconnaissance
3 Delivery
2 Weaponization
Hours to Months Preparation
5 Installation
4 Exploitation
Seconds to Minutes Intrusion
7 Action
4 Command & Control
Months Active Breach Source: Darkreading.com
Typical Mobile Apps
1
Client Apps (Android, IOS, BB, WindowsPhone)
2
Browser based Apps (HTML5, CSS, etc)
3
SMS & USSD based Apps
4
NFC Apps (Contactless Smart Card)
5
Value Added Service (VAS) Apps, STK
6
Various Apps
•
MicroATM/POS Apps
•
QR Code
•
Telematic Apps
Typical Mobile Banking Threats & Vulnerabilities 1. 2.
3. 4.
5. .
Fake Application Malware Attack – Phone takeover – Insecure Application Permission Smshing, Phishing Man in the Middle (MITMobile, MITBrowser, Zeus in the Mobile) Stolen Devices pyware, ey ogg ng
1. 2. 3. 4.
USSD/SMS Sniffing SMS Spoofing Message Replay Attack Man in the Middle Attack
5. 6.
Weak Encryption Weak Device anagement ut ent cat ion
7.
Mobile Apps
Weak User Authentication 8. Weak Device 1. Weak Application (SQL Management/AuthenticatInjection, Cross Site ion Scripting, Command 9. Rooted/Jailedbreak Injection, etc) Device 2. DDoS (Buffer Overflow) 10. Social Engineering 3. Unpatched/Obsolete Platform, Database, O/S 4. Unlimited transactions Mobile Apps Provider Network/Internet 5. Insufficient AuditServer/Middleware Trail/Log
Core Banking
Digital Banking Countermeasures 1.
Perimeter Defense (DMZ, Firewall, WebApp Firewall, Anti Virus) 2. Detection Tool (IDS/IPS, SIEM) 3. Asset & Vulnerability Assessment 4. Penetration Testing 1. Geographical & Historical Analysis 5. Dual Custody & Strong Administrative User 2. Behavioral Analysis 3. Transaction Limit 6. Proper session handling 4. Blocking & Unblocking mechanism 7. Anti-DDoS 8. Fraud Detection Tool 5. Incident Response Team (CERT) 6. Financial Crime Investigation Team 9. High Availability & Disaster 7. Integration with AML/KYC system Recovery . apac y ann ng 11. Testing & Preventive Vulnerability 1. Secure Design & Coding (Secure by Construction) Scanning 2. Secure Code Review 1. Strong User Authentication (2 FA3. Protect against Obfuscation code (Cover time) applied) 4. Vulnerability Assessment 2. Secure Change Password & Other 5. Penetration Testing Sensitive Information 6. Official Store & Secure Updating/Deployment 3. KYC & Clear Terms & Conditions7. Strong Device Authentication (Remote Wipeout, No Local 4. User Education & Awareness Stored Sensitive Data) Program 8. Strong Application Authentication & Updating (Key Exchange) 5. Secure Application Permission, Non 9. Strong Encryption over Public Network (Data InTransit rooted Device Protection) 6. Client AntiVirus/Spyware Signature 10. Leverage for Fraud Detection (Error code, Logging, GPS Update Source: Secure Mobile Payments System , VISA EuropeLocation, Risk Management Device Fingerprinting, Rooting Detection, Debug Mode Detection)
Mobile Risk Ecosystem
Countermeasures: Preventive vs Corrective Security Awareness Program
Local Vulnerability & Patch Forum
Standardized Risk Control for RCSA
Cyber Security E-Learning Material
Indonesia Cyber Security Forum
Cyber Security related Policy & Procedure Amendments
Application Control Review Annual Penetration Testing (apps and infrastructure)
Continuous Assets Register & Management
User Access Review (Apps, OS & DB)
Pre-Deployment Vulnerability Scanning, Firewall & Server Hardening Review & External Scanning
Data Leakage Prevention Security Review on Design Proposal Failover and Incident Response Test
Supplier/Vendor Security Assessment
Secure Code Review Mostly to detect: –
SQL Injection
–
Hardcode Password
–
XSS & HTML Code Injection
–
OWASP Top 10 and SANS Top 25 Vulnerabilities
–
Memory leaks, buffer issue, ane aa e pa c s
–
Covered much well-known web application development languages (ASP.Net, Javascript, Java, C/C++, etc)
Continuous Asset Management Asset Re-Discovery & On-Boarding Process
Asset Registration
.
u p e erarc es (by OS, region, owners) 2. Dynamic Tag Capabilities
CMDB IT Assets
Asset Reporting & Monitoring
.
scover orgo en or Rogue Devices 2. Organize and report the devices
Proactive Patch & Vulnerability Management
Automatic & ToolTool-Based VM
•
Discovers all systems attached to your network. • Identifies and analyzes vulnerabilities on all discovered systems. • Reports findings of discovery and vulnerabilit anal sis. • Confirms that remedies or workarounds have been applied. Local Vulnerability & Patch Management Forum
Windows WSUS, Security Bulletin Proactive VM Monitoring Mitre CVE-CWE NIST NVD
1. 2. 3.
Implement Patches Escalation/Approval Vendor technical support
Preventive Policy Enforcement Scanning DEVELOPMENT/PRE-PRODUCTION ENVIRONMENT
PRODUCTION ENVIRONMENT
Regular Scan
Pre--Deployment Scan Pre
Regular/Scheduled Scanning & SEBI
Workstation – Windows 8/10 Scanning
Specific Compliance Scan
Server – Windows Server/UNIX Based Scanning Web Application Scanning
PCI/DSS Compliance Web Application Scanning Policy Compliance PCI Compliance Web Application Scanning Policy Editor
Security Awareness Program 6 Essential Components Collateral (Newsletter, Blog)
Posters, Desktop Wallpaper
CBT/Online Training & Certification
Events, Seminar & Workshops
Security Intranet Portal
Survey & Behavioral Testing
Regulation Issue: Banking vs Non Banking Otoritas Jasa Keuangan
Kementerian Komunikasi & Informatika Badan Regulasi Telekomunikasi Indonesia
PBI/POJK Manajemen Risiko TI (Electronic Banking) + RPOJK
PBI/POJK Know Your Customer
Banking Regulation
PP82/2012 Penyeleng gara Sistem Elektronis
POJK Laku Pandai (Branchless Banking)
1. 2. PBI/POJK Manajemen Risiko Internet Banking
PBI/POJK E-Money & Alat Pembayaran Menggunakan Kartu
3. 4. 5.
Permenko minfo Over The Top (OTT)
Issues: Shadow Banking Single Identity & KYC in Telco customer SIM Card Registration & Replacement Digital Certificate & Certificate Authority Cloud & Data Center Location
Digital Banking Task Force (OJK, Bareskrim Polri, BRTI, DK2ICN & Wantanmas)