Do we have to loose this battle?   ENDPOINT SECURITY          REDEFINED                        March 2012                 ...
Brief HistoryCREALOGIX Group in Brief          The CREALOGIX Group is the leading independent Swiss          provider of s...
Problem Statement    When can an online transaction be considered secure?    The security of online transactions in a give...
Problem Statement    Can we agree on what is needed?•   Can a hardware-only solution protect transaction integrity?    To ...
Application Hardening: A Call to Action  Example: Web Browser• Web browsers have evolved from early single document render...
Application Hardening: A Call to ActionA look under the hood of a standard browser…                                       ...
Application Hardening: A Call to ActionAttack vectors against a standard browser…                            INFACE-MAN   ...
Application Hardening: A Call to ActionFocus on application security enhanced by hardware           Popular approach      ...
Application Hardening: A Call to Action    The CREALOGIX hardened browser (CLX.SecureBrowser)•   No extensions allowed (no...
Application Hardening: A Call to ActionEstote ParatiGiven enough time and resources anything can (and will) be hacked.Howe...
CREALOGIX Portfolio - Software   Hardened Applications (CLX.SecureApps)                                                   ...
Hardware products        CLX.Sentinel with CLX.SecureApps on board•   Memory size up to 32 GB•   Two or three-chip version...
Hardware products         CLX.SentinelDisplay with CLX.SecureApps on boardDeveloped in cooperation with the largest Swiss ...
Conclusions   Application hardening• Fighting the malware epidemic requires a shift from defensive to pro-active   securit...
Application Hardening: How do you measure it? Attack Vector Activity Analysis          Network Level Attack           CLX....
Visit us atHall 12, Stand C36    FOR FURTHER INFORMATION:    Kris Nowak    Director, International Business Development   ...
Are we losing the battle? BBC News 02.02.2012Hackers outwit online banking identity security systems         “Criminal hac...
Hardware products     CLX.SentinelDisplay          E-Banking Server                                   Host PC             ...
Upcoming SlideShare
Loading in...5
×

CeBIT 2012 Security Plaza - CREALOGIX Presentation

1,725

Published on

CREALOGIX E-Banking presents its security products for financial institutions.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,725
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CeBIT 2012 Security Plaza - CREALOGIX Presentation

  1. 1. Do we have to loose this battle? ENDPOINT SECURITY REDEFINED March 2012 1
  2. 2. Brief HistoryCREALOGIX Group in Brief The CREALOGIX Group is the leading independent Swiss provider of software and hardware solutions. Its core business is focused on e-Finance, e-Business and e-Education. The shares of CREALOGIX Holding AG (CLXN) are traded at the SIX Swiss Exchange. Fiscal Year 2011/2012 Founded: 1996 # Employees: 256 Market CHF 102.7 Million capitalization: Revenue: CHF 52.8 Million Offices: 4 locations around Switzerland and Germany 2
  3. 3. Problem Statement When can an online transaction be considered secure? The security of online transactions in a given computing system can be measured only through observing its response under attack by malware . IT SECURITY CONFIDENTIALITYEnable the Safeguard the Ensure the AVAILABILITYtransaction privacy of the data integrity of the INTEGRITYprocess displayed and transaction exchanged during details the transaction TRANSACTION NON-REPUDIATION 3
  4. 4. Problem Statement Can we agree on what is needed?• Can a hardware-only solution protect transaction integrity? To large extent yes, particularly if implemented as out-of-band validation. However, the new types of social engineering attacks show that even such methods are insufficient.• What about data confidentiality? If the application, such as web browser, is compromised, confidential data will be stolen before the transaction is executed. Unless the application is properly hardened, no hardware-based authentication and validation system will help.• What will be the result of attacks launched against methods using hardware-only validation? By design, transaction signing using a “trusted” hardware device can help stop fraudulent transactions only by lowering the system’s efficiency. Security should not rely on end-user behaviours and on the state of his/her PC. Everything can be hacked. The protection efforts must focus on hacking economics. Security experts agree: Application hardening is the last effective means for lowering the hacking ROI. However ….. The complexity of understanding, implementing and maintaining application hardening is a barrier to entry for most software and service companies. Furthermore, the need to implement pro-active security updates and to integrate end user hardware raise the barrier even higher. 4
  5. 5. Application Hardening: A Call to Action Example: Web Browser• Web browsers have evolved from early single document renderers to multi-program execution environments (close to an operating system)• The architecture of web browsers has not evolved at the same pace and is unable to handle the security requirements of a complex run-time environment• New security requirements inevitably conflict with the usability, functionality and flexibility requirements of (spoiled) end-users• Any re-architecture of standard web browsers faces issues with backward compatibility in order not to disrupt existing web sites and force extensive reprogramming. 5
  6. 6. Application Hardening: A Call to ActionA look under the hood of a standard browser… DISPLAY MOUSE KEYBOARD HISTORY COOKIES EXT. CERT STORE USER ACTIVE X INTERFACE CACHE PDF CERT EXTENSIONS USER STORE PLUGINS DATA BROWSER KERNEL SESSION FLASH BOOK- PWD MARKS JAVA MGR DOM PWDS RENDERING SSL ENGINE TLS LAYOUT NETWORK HTML JAVA XML SCRIPT 6
  7. 7. Application Hardening: A Call to ActionAttack vectors against a standard browser… INFACE-MAN SCREEN-C KEY-LOG MOUSE-LOG USER INTERFACE APP-STEER MDW SPOOF COMP-MAN MEM-DUMP MEM-PATCH EXTENSIONS USER DATA SNIFF BROW-CERT PLUGINS DATA BROWSER KERNEL REV-ENG CODE-INJ COMP-MAN DOM-MANIPU CH-BREAK RENDERING ENGINE BUFF- BROW-SSL OVFLW BROW-DNS SCRIPT SCRIPT 7
  8. 8. Application Hardening: A Call to ActionFocus on application security enhanced by hardware Popular approach CREALOGIX (holistic) approach EXTERNAL HARDENING ARCHITECTURAL HARDENING Links the application (e.g. browser) Changes block-structures, redefines directly to a set of protection functions policies/links between components and designed to enforce security policies. authorized programs, isolates program Focuses mainly on vulnerabilities and instances. Isolates/removes/adds new disables only some, specific attack components, limits functions and programs. vectors. Introduces pro-active security updates. ..... or NO APPLICATION HARDENING (focus on hardware) Own CREALOGIX hardware significantly enhances application security. 8
  9. 9. Application Hardening: A Call to Action The CREALOGIX hardened browser (CLX.SecureBrowser)• No extensions allowed (no BHOs, no Active-X, no Java, no plug-ins)• Stripped (no compiler symbols)• No external access allowed (no Document Object Model available)• Close binding with the cryptographic subsystem (no separation between Browser Core and the TLS engine)• Encrypted executable• Access Control List (ACL) restricts access to the web sites GUI White list of URLs Verification of IP addresses and SSL certificates General policies (e.g. only HTTPS allowed) USER• Anti screen scraping DATA• Anti key logging PDF KERNEL• No traces left on the PC (zero footprint)• Protection against debugging• Protection against reverse engineering OS• Encryption of session data ACL RENDE RING - Obfuscation - Encryption - Isolation - Virtualization 9
  10. 10. Application Hardening: A Call to ActionEstote ParatiGiven enough time and resources anything can (and will) be hacked.However…Proactive security updates canprevent the first-time effort hackingpatches from being easily exploitedfor large scale attacks. The aim is tokeep hacking success tied to ROIcriteria.This can be accomplished by usingcode obfuscation techniques whichare both polymorphic andvirtualized, so that periodic updatesof the executable code will requirehackers new efforts for buildinganother attack code effectiveagainst the updated hardened Even just one secure update per monthapplication. will keep hacking success tied to ROI ! 10
  11. 11. CREALOGIX Portfolio - Software Hardened Applications (CLX.SecureApps) E-Mail client High-security file system CLX.SecureMail CLX.SecureFiles Virus scanner CLX.SecurePCScanner CLX.SecureServer Filling in and digital signing of PDF forms CLX.SecureBrowser CLX.SecurePDF• Hardened applications (CLX.SecureApps) operate within the secure environment of the CLX.SecureDesktop• CLX.SecureApps can be provided on CREALOGIX hardware (plug-and-play, zero footprint USB tokens) or be downloaded to the user’s PC 11
  12. 12. Hardware products CLX.Sentinel with CLX.SecureApps on board• Memory size up to 32 GB• Two or three-chip version• Multi-platform (Windows, MacOS, Linux)• Support for virtualized environments, such as Citrix, VMWare, etc.• Remote software and firmware updates CLX.Sentinel has undergone a security audit by a leading CLX.Sentinel Swiss security auditor Compass Security AG. “To the best of its knowledge, Compass is not aware to this date of alternative solutions and products which can match the range and strength of the CLX.Sentinel protection mechanisms implemented to safeguard Internet-based e-banking transactions.” 12
  13. 13. Hardware products CLX.SentinelDisplay with CLX.SecureApps on boardDeveloped in cooperation with the largest Swiss private bankSame features as CLX.Sentinel, plus:• Keypad for secure PIN entry and transaction confirmation• Colour, high-resolution display for transaction confirmation (what-you-see-is-what-you-sign)• Two- or three-chip (external smart card) version• Point-to-point encrypted channel between the server and the firmware of the deviceThe highest level of security available on the market CLX.Sentinel Display CLX.Sentinel has undergone a security audit by a leading international security auditor Dreamlab Technology. “… the integrity of the device […] could not be affected by malicious software and techniques. The overall security and safety level of the product is estimated high, as long as the obfuscation techniques cannot be broken automatically within a short amount of time.” ” The most important part of the hardware is buried under a large amount of black epoxy coating. Dreamlab tried common epoxy removal methods but was not successful ...” 13
  14. 14. Conclusions Application hardening• Fighting the malware epidemic requires a shift from defensive to pro-active security, forcing hackers to work for each new attack and restricting the number of viable attack vectors.• General purpose applications cannot achieve acceptable levels of security. End-users cannot properly install, configure and maintain a secure computing environment.• Architectural hardening is essential to make attacks very complex and, in case of social engineering attacks, to reduce their strength and variety to fraud levels. Hardening must be balanced and extensive.• A suite of hardened applications (web browser, PDF and file management, etc.) should be made available to bridge the security and productivity domains. Proactive updates must be secure, automated and compulsory.• When combined with specially designed hardware solutions, hardened applications offer unparalleled security and convenience. 14
  15. 15. Application Hardening: How do you measure it? Attack Vector Activity Analysis Network Level Attack CLX.Secure GUI Level CLX.Secure Vectors Browser Attack Vectors Browser Screen Capturing √ DNS Spoofing √ Windows Overlay √ IP Rerouting (Transparent Proxy) √ GUI Controls Manipulation √ URL Spoofing √ Keystroke Logging √ Eavesdropping (Non secured Mouse Logging √ √ connections) √ Keystroke Event Emulation Content Spoofing (Non secured √ connections) Mouse Event Emulation √ Application Level Attack CLX.Secure Vectors Browser Process Level CLX.SecureComponents Manipulation (BHO, Attack Vectors Browser √Add-ons, Extensions) Dynamic Memory Read √Static Reverse-Engineering √ Dynamic Memory Patching √Static Code Dumping √ Function Injection √Static Code Patching √ Dynamic Reverse Engineering √Resource Patching √ Some attack vectors mitigated through Pro-active Security Updates 15
  16. 16. Visit us atHall 12, Stand C36 FOR FURTHER INFORMATION: Kris Nowak Director, International Business Development T: +49 6434 306 9843 M: +49 172 651 5508 F: +49 40 380 1785 4733 E: kris.nowak@crealogix.com W: www.crealogix.com 16
  17. 17. Are we losing the battle? BBC News 02.02.2012Hackers outwit online banking identity security systems “Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned. …… …Devices like PINSentry from Barclays and SecureKey from HSBC - which look a lot like calculators - ask users to insert a card or a code to create a unique key at each login, valid for around 30 seconds, that cannot be used again….. …While these chip and pin devices make the hackers job more difficult, the hackers themselves have raised their game…. …A test witnessed as part of a BBC Click investigation suggests even those [PCs] with up-to-date anti-virus software could be at risk…. …Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered…. …Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities…. Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it - to learn its common features.” 17
  18. 18. Hardware products CLX.SentinelDisplay E-Banking Server Host PC H-Token CLX.E-Banking H-Browser Smart Card OS (Firmware)Encrypt Decrypt Encrypt Decrypt Signing Signing Public Key No direct Private Key keystore access Sign Verify Sign Verify Server Server Private Key Public Key Transaction Display Data Compare Request user confirmation H-Browser Signing Signing Public Key Secure channel Private Key SSL/TLS (RSA 2048/AES 256) (RSA1024/3DES) Server Server Private Key Public Key Tunnelled secure channel for transaction authentication 18

×