SlideShare a Scribd company logo

Isaca conference threat_modeling_marco_morana_short.pdf

Download as PPTX, PDF
Marco Morana
Marco Morana

ISACA Italy presentation on use of threat modeling for designing countermeasures for on-line payment systems

1 of 21
27.9.2013 - Venezia - ISACA VENICE Chapter 1 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to design more secure online payments systems: the lesson learned from the analysis of security incidents Marco Morana Venezia, 27 settembre 2013 Soluzioni e sicurezza per applicazioni mobile e payments
27.9.2013 - Venezia - ISACA VENICE Chapter 2 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to design more secure online payments systems: the lesson learned from the analysis of security incidents
27.9.2013 - Venezia - ISACA VENICE Chapter 3 How to design more secure online payments systems: the lesson learned from the analysis of security incidents About Me and This Talk 1. What is my role today? I lead a global team of security architects and analysts whose responsibility is to secure engineer mobile applications used by millions of private clients in several countries in the world. These applications bear the highest financial and security risks. 3. What are the goals of this talk ? Provide the rationale for factoring threats and risk analysis in the risk strategy for mitigation of the security risks of online banking and payments. Emphasize the importance of adopting a process for analyzing threats, modeling attacks and identify countermeasures that an be built into the design of online and mobile payment applications 2. What is learnt in my career as security technologist? Today cyber-security risks are business risks, for risk managers, security auditors, security consultants it is imperative to be able to analyze threats and translate technical impact risks to business impacts
27.9.2013 - Venezia - ISACA VENICE Chapter 4 How to design more secure online payments systems: the lesson learned from the analysis of security incidents What I hope you can learn from my talk.. 1. How the cyber-threat landscape has evolved in attack sophistication and the evolution of the cyver threat actors 2. The lessons CISOs can learn from the security incident’s post-mortem from publicy disclosed security incidents, open source intelligence as well as from their own sources 3. The risk mitigation strategy can be adopted by security managers to effectively mitigate the risk of cyber threats and mitigate the technical and business impacts of payment fraud 4. The tactical risk processes and tools that can be used to analyze threats, model attacks and design countermeasures against cyber attacks against online payment systems
27.9.2013 - Venezia - ISACA VENICE Chapter 5 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Evolution of Cyber-Threats and Challenges of Securing Emerging Technologies
27.9.2013 - Venezia - ISACA VENICE Chapter 6 How to design more secure online payments systems: the lesson learned from the analysis of security incidents The Evolution of Cyber Threat Actors Time ThreatSeverity 20001995 2005 2010 Threats: Script Kiddies, Viruses, Worms Motives: Notoriety and Fame, Profit from renting Botnet for spamming Attacks: DoS, Buffer Overflow Exploits, Spamming, Sniffing Network Traffic, Phishing emails with viruses Threats: Fraudsters, Malware, Trojans Motives: Identity Theft, Online and Credit/Debit Card Fraud Attacks: SQLi, Sniffing Wireless Traffic, Session Hijacking, Phishing, Vishing, Drive by Download Threats: Hacktivists, Cyber crime, Cyber Espionage, Fraudsters, Malware Motives: Political, Stealing Company Secrets and Clients Confidential and Credit Card Information for Fraud Attacks: DDoS, Defacing, Account Take Over/Session Hijacking, SQLi, Spear Phishing, APT, RAT 2012 Threats: Basic Intrusions and Viruses Motives: Testing and Probing Systems and Data Communications Attacks: Exploiting Absence of Security Controls, Sniffing Data Traffic, Defacing WHAT NEXT ?
27.9.2013 - Venezia - ISACA VENICE Chapter 7 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Cyber-attacks still exploit weaknesses in traditional payment infrastructure http://abcnews.go.com/GMA/video/cyber-bank-heist-charged-45-million-atm- heist-19149558
27.9.2013 - Venezia - ISACA VENICE Chapter 8 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Technology evolution of online payments and banking applications/technologies
27.9.2013 - Venezia - ISACA VENICE Chapter 9 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Card Payments and Online Fraud Schemes  Account takeover: hijacking authenticated session for transferring money to a fraudulent account or making fraudulent purchases  Card non present fraud: online payments and purchases with stolen credit cards and personal data  Card application fraud: using stolen personal data for opening bank account and for applying for nee credit/debit cards  Card counterfeiting fraud: validation of stolen credit credit/debit data (PANs, CVVs, PINs) using online banking web sites for the sake of counterfeit cards  Card present fraud: criminal approaches a merchant and uses fraudulent means to pay for it, such as a stolen or counterfeit card made with credit/debit card data and personal information stolen online  Identity theft fraud: someone assume your identity through social engineering, phishing for PII with malware/keylogger and man in the browser to perform a fraud or other criminal act.  Internet fraud: non-delivery of items ordered online and credit and debit card scams
27.9.2013 - Venezia - ISACA VENICE Chapter 10 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Statistical Data of Fraud From Online and Mobile Payments
27.9.2013 - Venezia - ISACA VENICE Chapter 11 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Fraud and Mobile Risks, Food for Thought  45% of service providers, 40% of card issuers use device identification for mobile fraud prevention but 55% of merchants can’t detect a transaction from mobile device (source Kount 2013)  Payment card fraud, phishing attacks and check fraud are the top three fraud threats financial institutions face in 2013 (source Security Media Group, faces of Fraud Survey, 2013)  U.K. Identity fraud totalled £3.3 billion in 2012 and affected 27% of the UK adult population (source National Fraud Authority, June 2013)  Mobile malware increased by 400% in 2012 and Mobile related data breaches are expected to grow (source Verizon DBIR 2013)  Wire and ACH fraud is on the rise despite the investment anti-fraud technologies, IP reputation based tools, dual-customer authorization and customer education (source Security Media Group, faces of Fraud Survey, 2013)  60% mobile apps don't have a privacy policy notifying consumers which of their data the apps access (Source: InfoWorld March 2012)
27.9.2013 - Venezia - ISACA VENICE Chapter 12 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to Design of Threat Resilient Online Payment Applications
27.9.2013 - Venezia - ISACA VENICE Chapter 13 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Adopt a risk mitigation strategy 1. Meet technology security standards and regulations  Payment Card Industry Data Security Standard (PCI-DSS)  Guidelines for authentication (FFIEC-OCC)  Recommendation for the security of online payments (ECB)  General data protection regulation (EU) 2. Conduct a threat and risk assessment  Analyze internet security threats against online payments systems  Assess impacts of online payment fraud (card non present fraud, phishing attacks, check fraud, mobile payment fraud, internet fraud) 3. Implement security measures  Strong authentication for customers  Transaction monitoring to identify abnormal customer payment patterns  Operational process for authorizing transactions  Customer awareness and education
27.9.2013 - Venezia - ISACA VENICE Chapter 14 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Examples of Payment Security Standards (ECB, PCI) http://www.ecb.europa.eu/pub/pdf/other/recommendatio nssecurityinternetpaymentsoutcomeofpcfinalversionafterp c201301en.pdf https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
27.9.2013 - Venezia - ISACA VENICE Chapter 15 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Threat and Risk Assessment using the Process for Attack Simulation and Threat Analysis (PASTA™)
27.9.2013 - Venezia - ISACA VENICE Chapter 16 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Modeling of Account Take Over Attacks Fraudster Drive-by Download/ Malicious Ads Man In The Browser Phishing Email, FaceBook Social Engineering Upload Malware on Vulnerable Site Attack Victim’s Vulnerable Browser Steals Keystrokes with Key-logger Modifies UI Rendered By The Browser Phish User To Click Link With Malware Upload Banking Malware on Customer’s Pc Harvest Confidential Data/ Credentials From Victim Steal Digital Certificates For Authentication Sends Stolen Data to Fraudster’s Collection Server Money Transferred From Mule to Fraudster Use Stolen Banking Credentials/ Challenge C/Q Remote Access To Compromised PC Through Proxy Logs into Victim’s Online Bank Account Fraudster Perform Un- authorized Money Transfer to Mule Redirect Users To Malicious Sites Delete Cookies Forcing to Login To Steal Logins
27.9.2013 - Venezia - ISACA VENICE Chapter 17 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Threat Model of Mobile Wallet Application
27.9.2013 - Venezia - ISACA VENICE Chapter 18 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Lesson Learnt From Security Incidents of Online Payment Systems
27.9.2013 - Venezia - ISACA VENICE Chapter 19 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Lessons Learnt 2. The attack tools used by threat agents have increased in sophistication and effectiveness 7. Application threat modeling allows to identify and fix design flaws in online and mobile applications before these are exploited by threat agents and become liabilities for the merchants, the card processors and the banks 1. The threat agents have evolved in motives and capabilities from ego- driven to value- driven and from isolate actors to organized crime 3. Security incidents today involve compromises of millions of credit card data records per incident, payment fraud and online fraud 4. New technology for mobile banking and payments increases the opportunity for attackers to exploit security holes and design flaws and brings new security challenges for security and risk managers 5. The increase in spending in security measures such as anti-fraud systems does not always translates in reduced impacts for fraud 6. A different risk mitigation strategy is required that focus on threat analysis and attack modeling
27.9.2013 - Venezia - ISACA VENICE Chapter 20 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Domande
27.9.2013 - Venezia - ISACA VENICE Chapter 21 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Thanks for your Attention Email me : Marco (dot) M (dot) Morana (at) Citi (dot) com Follow me on twitter:@threatmodeling Preorder the book “Application Threat Modeling Book, Wiley-Blackwell” on Amazon http://www.amazon.co.uk/Application-Threat- Modeling-Marco-Morana/dp/0470500964

More Related Content

Isaca conference threat_modeling_marco_morana_short.pdf

  • 1. 27.9.2013 - Venezia - ISACA VENICE Chapter 1 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to design more secure online payments systems: the lesson learned from the analysis of security incidents Marco Morana Venezia, 27 settembre 2013 Soluzioni e sicurezza per applicazioni mobile e payments
  • 2. 27.9.2013 - Venezia - ISACA VENICE Chapter 2 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to design more secure online payments systems: the lesson learned from the analysis of security incidents
  • 3. 27.9.2013 - Venezia - ISACA VENICE Chapter 3 How to design more secure online payments systems: the lesson learned from the analysis of security incidents About Me and This Talk 1. What is my role today? I lead a global team of security architects and analysts whose responsibility is to secure engineer mobile applications used by millions of private clients in several countries in the world. These applications bear the highest financial and security risks. 3. What are the goals of this talk ? Provide the rationale for factoring threats and risk analysis in the risk strategy for mitigation of the security risks of online banking and payments. Emphasize the importance of adopting a process for analyzing threats, modeling attacks and identify countermeasures that an be built into the design of online and mobile payment applications 2. What is learnt in my career as security technologist? Today cyber-security risks are business risks, for risk managers, security auditors, security consultants it is imperative to be able to analyze threats and translate technical impact risks to business impacts
  • 4. 27.9.2013 - Venezia - ISACA VENICE Chapter 4 How to design more secure online payments systems: the lesson learned from the analysis of security incidents What I hope you can learn from my talk.. 1. How the cyber-threat landscape has evolved in attack sophistication and the evolution of the cyver threat actors 2. The lessons CISOs can learn from the security incident’s post-mortem from publicy disclosed security incidents, open source intelligence as well as from their own sources 3. The risk mitigation strategy can be adopted by security managers to effectively mitigate the risk of cyber threats and mitigate the technical and business impacts of payment fraud 4. The tactical risk processes and tools that can be used to analyze threats, model attacks and design countermeasures against cyber attacks against online payment systems
  • 5. 27.9.2013 - Venezia - ISACA VENICE Chapter 5 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Evolution of Cyber-Threats and Challenges of Securing Emerging Technologies
  • 6. 27.9.2013 - Venezia - ISACA VENICE Chapter 6 How to design more secure online payments systems: the lesson learned from the analysis of security incidents The Evolution of Cyber Threat Actors Time ThreatSeverity 20001995 2005 2010 Threats: Script Kiddies, Viruses, Worms Motives: Notoriety and Fame, Profit from renting Botnet for spamming Attacks: DoS, Buffer Overflow Exploits, Spamming, Sniffing Network Traffic, Phishing emails with viruses Threats: Fraudsters, Malware, Trojans Motives: Identity Theft, Online and Credit/Debit Card Fraud Attacks: SQLi, Sniffing Wireless Traffic, Session Hijacking, Phishing, Vishing, Drive by Download Threats: Hacktivists, Cyber crime, Cyber Espionage, Fraudsters, Malware Motives: Political, Stealing Company Secrets and Clients Confidential and Credit Card Information for Fraud Attacks: DDoS, Defacing, Account Take Over/Session Hijacking, SQLi, Spear Phishing, APT, RAT 2012 Threats: Basic Intrusions and Viruses Motives: Testing and Probing Systems and Data Communications Attacks: Exploiting Absence of Security Controls, Sniffing Data Traffic, Defacing WHAT NEXT ?
  • 7. 27.9.2013 - Venezia - ISACA VENICE Chapter 7 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Cyber-attacks still exploit weaknesses in traditional payment infrastructure http://abcnews.go.com/GMA/video/cyber-bank-heist-charged-45-million-atm- heist-19149558
  • 8. 27.9.2013 - Venezia - ISACA VENICE Chapter 8 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Technology evolution of online payments and banking applications/technologies
  • 9. 27.9.2013 - Venezia - ISACA VENICE Chapter 9 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Card Payments and Online Fraud Schemes  Account takeover: hijacking authenticated session for transferring money to a fraudulent account or making fraudulent purchases  Card non present fraud: online payments and purchases with stolen credit cards and personal data  Card application fraud: using stolen personal data for opening bank account and for applying for nee credit/debit cards  Card counterfeiting fraud: validation of stolen credit credit/debit data (PANs, CVVs, PINs) using online banking web sites for the sake of counterfeit cards  Card present fraud: criminal approaches a merchant and uses fraudulent means to pay for it, such as a stolen or counterfeit card made with credit/debit card data and personal information stolen online  Identity theft fraud: someone assume your identity through social engineering, phishing for PII with malware/keylogger and man in the browser to perform a fraud or other criminal act.  Internet fraud: non-delivery of items ordered online and credit and debit card scams
  • 10. 27.9.2013 - Venezia - ISACA VENICE Chapter 10 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Statistical Data of Fraud From Online and Mobile Payments
  • 11. 27.9.2013 - Venezia - ISACA VENICE Chapter 11 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Fraud and Mobile Risks, Food for Thought  45% of service providers, 40% of card issuers use device identification for mobile fraud prevention but 55% of merchants can’t detect a transaction from mobile device (source Kount 2013)  Payment card fraud, phishing attacks and check fraud are the top three fraud threats financial institutions face in 2013 (source Security Media Group, faces of Fraud Survey, 2013)  U.K. Identity fraud totalled £3.3 billion in 2012 and affected 27% of the UK adult population (source National Fraud Authority, June 2013)  Mobile malware increased by 400% in 2012 and Mobile related data breaches are expected to grow (source Verizon DBIR 2013)  Wire and ACH fraud is on the rise despite the investment anti-fraud technologies, IP reputation based tools, dual-customer authorization and customer education (source Security Media Group, faces of Fraud Survey, 2013)  60% mobile apps don't have a privacy policy notifying consumers which of their data the apps access (Source: InfoWorld March 2012)
  • 12. 27.9.2013 - Venezia - ISACA VENICE Chapter 12 How to design more secure online payments systems: the lesson learned from the analysis of security incidents How to Design of Threat Resilient Online Payment Applications
  • 13. 27.9.2013 - Venezia - ISACA VENICE Chapter 13 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Adopt a risk mitigation strategy 1. Meet technology security standards and regulations  Payment Card Industry Data Security Standard (PCI-DSS)  Guidelines for authentication (FFIEC-OCC)  Recommendation for the security of online payments (ECB)  General data protection regulation (EU) 2. Conduct a threat and risk assessment  Analyze internet security threats against online payments systems  Assess impacts of online payment fraud (card non present fraud, phishing attacks, check fraud, mobile payment fraud, internet fraud) 3. Implement security measures  Strong authentication for customers  Transaction monitoring to identify abnormal customer payment patterns  Operational process for authorizing transactions  Customer awareness and education
  • 14. 27.9.2013 - Venezia - ISACA VENICE Chapter 14 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Examples of Payment Security Standards (ECB, PCI) http://www.ecb.europa.eu/pub/pdf/other/recommendatio nssecurityinternetpaymentsoutcomeofpcfinalversionafterp c201301en.pdf https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
  • 15. 27.9.2013 - Venezia - ISACA VENICE Chapter 15 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Threat and Risk Assessment using the Process for Attack Simulation and Threat Analysis (PASTA™)
  • 16. 27.9.2013 - Venezia - ISACA VENICE Chapter 16 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Modeling of Account Take Over Attacks Fraudster Drive-by Download/ Malicious Ads Man In The Browser Phishing Email, FaceBook Social Engineering Upload Malware on Vulnerable Site Attack Victim’s Vulnerable Browser Steals Keystrokes with Key-logger Modifies UI Rendered By The Browser Phish User To Click Link With Malware Upload Banking Malware on Customer’s Pc Harvest Confidential Data/ Credentials From Victim Steal Digital Certificates For Authentication Sends Stolen Data to Fraudster’s Collection Server Money Transferred From Mule to Fraudster Use Stolen Banking Credentials/ Challenge C/Q Remote Access To Compromised PC Through Proxy Logs into Victim’s Online Bank Account Fraudster Perform Un- authorized Money Transfer to Mule Redirect Users To Malicious Sites Delete Cookies Forcing to Login To Steal Logins
  • 17. 27.9.2013 - Venezia - ISACA VENICE Chapter 17 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Threat Model of Mobile Wallet Application
  • 18. 27.9.2013 - Venezia - ISACA VENICE Chapter 18 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Lesson Learnt From Security Incidents of Online Payment Systems
  • 19. 27.9.2013 - Venezia - ISACA VENICE Chapter 19 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Lessons Learnt 2. The attack tools used by threat agents have increased in sophistication and effectiveness 7. Application threat modeling allows to identify and fix design flaws in online and mobile applications before these are exploited by threat agents and become liabilities for the merchants, the card processors and the banks 1. The threat agents have evolved in motives and capabilities from ego- driven to value- driven and from isolate actors to organized crime 3. Security incidents today involve compromises of millions of credit card data records per incident, payment fraud and online fraud 4. New technology for mobile banking and payments increases the opportunity for attackers to exploit security holes and design flaws and brings new security challenges for security and risk managers 5. The increase in spending in security measures such as anti-fraud systems does not always translates in reduced impacts for fraud 6. A different risk mitigation strategy is required that focus on threat analysis and attack modeling
  • 20. 27.9.2013 - Venezia - ISACA VENICE Chapter 20 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Domande
  • 21. 27.9.2013 - Venezia - ISACA VENICE Chapter 21 How to design more secure online payments systems: the lesson learned from the analysis of security incidents Thanks for your Attention Email me : Marco (dot) M (dot) Morana (at) Citi (dot) com Follow me on twitter:@threatmodeling Preorder the book “Application Threat Modeling Book, Wiley-Blackwell” on Amazon http://www.amazon.co.uk/Application-Threat- Modeling-Marco-Morana/dp/0470500964