Security assessment for financial institutions


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security assessment for financial institutions

  1. 1. Security Assessment for Financial Institutions
  2. 2. Group-IB history Group-IB is Acquisition International Creation of Dedicated Certified founded by Leta Group Expansion CERT-GIB Professionals 60+ employees 2012 2003 2010 2011 2011 Stages of Company DevelopmentLeader on the Russian Various service packages Skolkovo resident First 24/7 CERT inmarket Pre-incident consulting; The CyberCop project, an Eastern EuropeThe first and only company Response; integrated system for CERT-GIB is the first privatein the CIS providing Forensics; counteracting cybercrime. Computer Emergencycomprehensive services in Investigation; Response Team in Russia.investigation of the security Legal support;incidents. Post-incident consulting.
  3. 3. Our key Customers* completed project samples are available per customer request
  4. 4. Group-IB services for Financial Institutions  Security analysis + penetration testing  Offensive security services  Computer Forensics & Investigations  Malware intelligence  Security incident response & Managed security services  Botnet Monitoring (Zeus, SpyEye, Carberp, etc.)  DDOS-attack protection service
  5. 5. Banking & E-Commerce vulnerabilities specifics  As a result of PCI DSS / PA DSS is rarely facing a "classical" WEB- application vulnerabilities (SQL Injection, XSS, Local File Inclusion)  WAF (WEB-Application Firewall) is widely used, however it is rarely set up and maintained properly;  Complicated applications, large dynamic changes, the use of third- party and borrowed applications and plugins;  Various attacks on the client, initially located in the untrusted environment (ActiveX-objects vulnerabilities at the client-side, client-side vulnerabilities, inefficient Information protection measures)
  6. 6. Penetration testingTraditional approaches «Black box» model «Grey box» mode «White box» modelInformal testing options and qualification- Developing exploits for vulnerabilities in online-banking software- Using of «zero-day» vulnerabilities in client-side / server-side- Own software security lab with more then 20 public advisories in bugtracks- Use of social engineering and individual tactical approaches- We provide detailed report and free of charge consulting services
  7. 7. «PCI Compliance does not equal security» HDFC Bank / Blind SQL-Injection; (CVSS Base Score - 9.0)
  8. 8. XSS exotics – RBS customer is under attackHTML5 Canvas capabilities / JQuery and XSS vectors vulnerabilities(taking a screenshot + keystrokes interception in the context of the session)
  9. 9. Analysis of the protection measures A trusted environment - may also contain a vulnerability( ZTIC detachable devices - Zone Trusted Information Channel)Checkpoint Abra Multiple Vulnerabilities - Group-IB’s AdvisorySample built-in ACL-list (F:PWCdatasandbox-persistence.ref ):<Execute OriginalName="calc.exe" PathName="calc.exe" AppName="MicrosoftCalculator" UIDescription="Microsoft Calculator" id="134"/>«Dirty» security trick (after shutting of the Windows File Protection ):takeown /f <file_name>icacls <file_name> /grant %username%:Ficacls <file_name> /grant *S-1-1-0:(F)
  10. 10. «Zero-day» vulnerabilities applicable to Banks
  11. 11. Network architecture misconfiguration errors Gathering information from the internal infrastructure of the bank Line format: <STX><message><ETX><checksum_character> Tixi HSM-HNG Modem for Mitsubishi FX Remote Access
  12. 12. Information security integration services Security Information and Event Management solutions (SEM, SIM and SIEM) Implementation of Intrusion Detection and Prevention systems (IDS/IPS) Implementation of Data Leakage Prevention systems (DLP) and their legal support SOC’s & Managed security services (MSS)
  13. 13. Computer ForensicsForensic examination: Restores the chronology of security events Reveals signs of internal employees involvement Disclose details of the committed theft in online banking
  14. 14. InvestigationsTypical cases: Theft involving employees of the affected organizations Theft with the use of malicious software (Trojans) Theft involving the substitution of the transaction details sent by e-mail
  15. 15. InvestigationsSteps of the RBS incident investigation: Search for signs of involvement (gathering evidence) of internal staff (based on the results of forensic investigations) Identify bot network control panels and search for links to other information security incidents Identification of individuals providing additional services to the attacker Getting detailed information about the structure of the control panel bot network and to obtain evidence of its use in a particular fraud in online bankingDefining a person controlling the bot-network, and its actual location Gathering data in the form of a set of documents to be sent to law enforcement and legal authorities
  16. 16. InvestigationsResources used and sources of information gathering: Distributed network of HoneyNet traps Forensic investigation cases database Malicious software research database All time theft cases database, collected by Group-IB staff Details on phishing sources Previous investigation outcomes Operational information & OSINT Links to organizations involved in investigations in 48 countries
  17. 17. DDoS attacks investigationsAs part of the investigation you get a detailed report on progress, aswell as all necessary information and documentation: Get the exact location of the botnet’s control center; Malicious code sample reversing; Details on individuals involved in a DDoS attack; A set of documents to hand the case over the law enforcement.
  18. 18. Successful cases and projects«Grum botnet shutdown, kills 20 percent of worldwide spam»
  19. 19. Successful cases and projects Joint operation with Microsoft on arrest of Leo Kuvaev
  20. 20. Successful cases and projects«Russian Authorities Arrest 6 More Members of the Carberp Gang»
  21. 21. DDoS protection servicesHTTP Protection Technology Proxifying Internal routing External routing Client Group-IB’s network filtering platform
  22. 22. DDoS protection servicesHTTP/HTTPS Protection Technologies Visitors Group-IB’s Client gateway Routing Client’s router Group-IB’s network filtering platform
  23. 23. Security Incident response & MSS The response to an information security incident is carried out by highly qualified professionals who are confronted daily with a variety of incidents, such as attacks on a website, online banking system, or another information asset. Each incident is unique and requiresan individualized approach, that’s why we have a dedicated forensic team of professionals and a certified CERT to meet the most exacting customer requirements.Our 24/7 CERT-GIB Team respond to all sort of threats:• Denial of services attacks (DoS, DDoS);• Unauthorized use of data processing and storage systems;• Data compromise;• Asset compromise;• Internal/external unauthorized access;• Creation and distribution of malicious software;• Breach of information security policies;• Phishing and unlawful brand use online;• Online banking fraud and electronic payment systems.
  24. 24. CERT-GIB Europe - North America - Asia CERT-GIB CERT-GIB Vladivostok: Moscow: GMT+10 CERT-GIB GMT+4 New York: GMT-5 CERT-GIB Singapore: GMT+7First 24/7 CERT in Expanding global presence Immediate response to all .RU, .РФ, .SU: uniqueEastern Europe Europe  North America  Asia types of security threats: capabilitiesCERT-GIB is the first Eastern – for smooth and comprehensive Phishing, Spam, Scam, DDoS Official 24/7 Computer incident handling attacks, malware, etc. expert organization to fightEmergency Response Team, phishing, malware, andand the first private CERT in botnets, authorized to takeRussia actions against suspicious activities in RU, РФ and SU domain zones.
  25. 25. Commendations from Law Enforcment officials
  26. 26. References*translated references and commendations are available per customer request
  27. 27. Media about us