In this 21st Century of globalization, world is coming closer and businesses are growing far beyond the geographies. Banking and financial sector is no exception to this. BFSI domain needs special attention as one must take utmost care in terms of customer data handling and data storage requirements. Every country has a governing bank identified as central bank or its equivalent. This body defines the rules of the game by way of dictating norms what is allowed and what is not allowed for banks to share or store data outside its premises, or outside the nation. This is also essential from the end customer perspective as to where and how their data is being handled. As the competition gets fierce banks need to find better ways of executing their projects and seldom have their own IT arm to support it. There comes the need to involve third party vendors. They provide, product, services, data handling and processing of information for banks. This increases the costs significantly. One way to tackle this aspect is to outsource it to a country where cost of execution is lesser. This is precisely the point where PCI DSS standard come in to picture. Banks will be confident to work with vendors who are PCI DSS complaint and know the information will be processed per governing rules.
PCI DSS – Payment Card Industry Data Security Standards is widely accepted standard for organizations that handle cardholder personal information. The Payment Card Industry Security Standards Council (PCI SSC) launched PCI DSS v1.0 in December 2004 to manage payment card industry security standards and to secure cardholder data. It is mandated by all card brands. Any bank, data processor or service provides who handles card holder data should be compliant to PCI DSS. Banks are comfortable working with such institutions who are compliant to the standard. To keep up with the changing pace of the data security standards which are updated on a regular basis, the PCI DSS certification needs to be renewed on an annual basis.
Let’s revise some crucial aspects of PCI DSS certification again: Why is PCI DSS so important? PCI-DSS compliance certification means that our systems secured and appropriate protection measures are in place from cardholder data perspective and to keep cyber-theft away. Cyber-attacks not just result in to potential loss of revenue, but it essentially breaks TRUST! that is built over the years between company and its customers. Also, it impacts company reputation, & its image in the market.
Recently there have been lots of virus attacks like ransomware, black router that can happen unexpectedly to any organization and may cause loss of important data, as we are responsible for client’s data we must adopt and comply with PCI DSS which is currently the best framework to overcome these issues and make a proper standard.
PCI-DSS for Verinite
Verinite Technologies Pvt. Ltd is providing support and services to the banking sector. While providing remote support and technical services Verinite’s employees may need to access cardholder data. Verinite provides a range of services like Project Management, Consulting, Third Party Application Support, Scheme Certification, Migration Reconciliation Expertise and Independent Testing Services for banking environment globally. As a custodian of third party information Verinite has a fundamental responsibility to protect and secure data it accesses. To fulfill the industry needs and client’s requirement Verinite defined their Information Security Management system (ISMS) that ensures the adheres to PCI DSS standards.
Verinite has been re-certified to the PCI DSS v3.2.
As a network administrator this means lot of checks and responsibility. We have to follow certain rules and regulation for PCI-DSS to safeguard the data that we have from any unauthorized attacks. From my daily activities I think following are some of the important points to be taken in to consideration from PCI DSS perspective.
- Firewall: Having a robust firewall is essential to protect data. Firewall is a major part of network system and it plays vital role in communicating with external and internal networks. Most of the times the hackers try to gain access through the vulnerabilities of firewall. It’s a part of my duty to ensure that firewall is secure and monitored on a daily basis.
- Unique Identity: Assign a unique ID to each authorized personnel who wants system access. Doing this helps us to track who is accessing & what is getting accessed at any point in time. So, we can always ensure that only authorized people are accessing systems & in a proper manner. Two-way authentication method is used, incorporating biometric control on entry and exit of the facility to ensure only authorized personnel are allowed inside the facility.
- Password policy: Care must be taken for passwords to be strong enough. Password should not be guessable by an individual or by any program in a reasonable amount of time. Hints for having a strong password – example it must be minimum of 8 characters long, combination of Upper Case, Lower Case and special characters, no repeating patter etc. Validation checks for active directory and password policy are very important.
- Antivirus Software: Make sure antivirus is installed in all the systems and most importantly it is kept up to date. Scheduling full and quick scans through server to scan all machines. The system applications & OS are also kept up to date and patches are applied regularly to make it secure.
- Encrypt transmission: The data transmission must be encrypted through internet, VPN. This allows us to securely communicate with others and keeps the eavesdroppers at bay, thus securing our channels of communication.
- Track and monitor access to the network resources: All logging attempts need to be detected including privileged or failed, change in login credential & history of deleted objects. This logging and monitoring helps minimize the risk to the data breach. These logs are monitored on a regular basis.
- Regular Checks: Run penetration tests to check vulnerabilities in internal and external networks. Checking all the systems including server, firewall, and machines in our network to ensure these are secured as per PCI DSS requirement.
Having implemented all the checks and incorporating best industry practices, we can ensure better conformance to the security standards. We keep updating our systems and policies to align with global standards on a regular basis. We also educate our associates & they too fully support by making security aspects an integral part of their daily activities.
If you would like to know more about Verinite services or about PCI DSS, please write to us at [email protected].
Network is base of digital banking domain. The base should always be strong and updated. In Recent days Ransomeware attack was a very big problem. Due to confidential data, banking sector was under pressure of its major affect. Being a part of networking & security, it is our responsibility to face the challenges and search for the door to overcome from the massive situations. The small loophole in the network can create a big disaster.
While working under the guidelines of PCI DSS “The network diagram is supposed to be simple to flow, but difficult to attack, even the small changes can play a very important role in the network. The date & time on the system is always neglected but it stores the history of incidence so it should be accurate according to the time Zone (Can use NTP server). PCI DSS guidelines not only helped to make the Network strong but it also indicates how to overcome the Incidence.
Real time changes to avoid attack!!!
- Always keep an eye on every action of the user, small change in the behavior of user is the first indication of attack. To track all these changes Log server should be used in network and logs should be monitor on daily basis.
- Segmentation also plays an important role as it stops the communication between the other departments of the organization. You should create a multiple VLAN in core switch and put each department in separate VLAN. This helps in stopping the communication of inter departments and the logical segmentation can be created among the organization.
- It is challenging to segment the moving users (Laptop) so in this case MAC binding for each users should be done.
- Implement the proper Antivirus which can be controlled by centralized server. Because only Virus Scanning of laptops on daily basis is not sufficient. Virus infection through unwanted Website should be controlled/stop. It should also have ability to stop the data leaking by physical source.
- User data needs to be very confidential as by usage of some software, data can be tracked easily. So to avoid this situation VPN should be used in public network so that all the data will flow through your home network in secure way and cannot be tracked easily. 2 factor authentication process is a Major Key of safety which can meet by unique SSL certificate, Passwords, User Id.
Why attack affect us?
The virus like ransomware has mass effect on the system of organization because the construction of the network or the implementation of security software is in same Prototype. Also, Limitation in innovative Idea like local network is built on fixed IP range or some common range of IPs.
Virus/Attacks should be taken on positive note as this give you the idea to develop the security policy and unique network strategy. Appreciate the talent of your colleague as hacker, which will help you in gap analysis and know mind set of Hacker and the target points. Small changes make big difference.
“The trust of the innocent is the liar’s most useful tool.” – Stephen King
I am writing this blogpost in the wake of the potentially earth-shattering discovery of security vulnerabilities in some key Java libraries. In case you are unaware of these security issues, you must 1. go through the link in the footnotes, 2. start screaming in despair and 3. continue reading this post for possible solutions. In any case, let me give you a quick description of what I am talking about.
If anyone has written Java code, they would be familiar with a practice called Serialization – Deserialization. This is a process where an objects and/or data structures are converted to streams to transport these streams to a client/server to be processed. This process is reversed when Deserialization occurs. The stream is converted back into the object/data structure, processed and consumed by an application on the receiving end of the communication. FYI, this process is widely prevalent in Ruby, PHP, Python, etc., not only Java. In Java, this practice is used heavily by all kinds of apps including Jenkins, JBoss, Websphere, OpenNMS and so on. This is used across various Java implementations. Typically, the serialized object is sent over the wire to the receiving system. The receiving system uses a method like readObject() or similar to process the data. The data is deserialized as a Java Object and consumed, by either writing to Disk, DB, OS, etc. This is where it gets interesting…. What if an attacker loads malicious code, serializes it and sends it over the wire to the receiving system, the receiving system would de-serialize the (malicious) object, process the object and write it to disk or worse, to the OS? Turns out that this is not only possible, but is highly probable and has the makings of a security disaster. This vulnerability would be way worse if it happened with a library that was commonly used. Turns out, that it is. The “commons-collections” library from Apache is (as the name suggests) is an extremely common Java library that is used in several apps, like the ones mentioned above. I am quite sure, at some level your Java app could be using this as well. This is a very very serious security vulnerability for both your app as well as the components you are hosting it on.
Unfortunately, this has become all-too-common with Software Libraries. We use thousands of libraries in our code (across languages) and libraries make a developer’s life much easier, because much of the low-level stuff is abstracted away from the developer and she can focus on developing quality apps. However, the problem really arises when the library itself is vulnerable to attacks, which in turn renders your app vulnerable. In my trainings on App security, one of the key questions I ask developers is “Do you know what vulnerabilities are present in your software libraries?” I see about 50% having no clue for this question and the second question “Do you know how to handle these vulnerabilities?” and the number having no clue has increased multifold. This problem has only aggravated with modern “agile” lifecycles with continuous deployment and continuous integration. The understanding of software library vulnerabilities has not keep pace with the scale and frequency of application development lifecycles. This unfortunately affects any programming language, not to spare the mobile paradigm as well.
There are some simple but powerful ways of preventing and detected this issue of insecure libraries.
This is the foundation of identifying and weeding out security vulnerabilities in software libraries. If developers are aware of how they can spot and remediate vulnerabilities in libraries, these vulnerabilities can be reduced by a significant margin. This involves a bit of process and a bit of technology. Process being namely, managing library inventory, regular updates from NVD, CVE details and so on. Often there may be a scenario that the library is integral to the application. In such cases, developers can create compensating controls. For instance, in the Java Serialization vulnerability, developers can create functions that validate size, type and instance to prevent third party malicious code from deserialization and processing.
Continuous (Security) Integration
Today, Continuous Integration is becoming the way to go for most application development houses. Integrating security into this cycle, especially by way of identifying insecure libraries is of paramount importance.
Including specific checks in Pentesting
One of the ways that companies can really leverage penetration tests, is by focusing on identifying and reporting insecure libraries. This may require an increase in terms of scope (reviewing library inventory), but it`s well worth the effort as you would get a holistic inside-out perspective.
Insecure Software Libraries has been in the OWASP Top 10 list since the year 2013. However, with the rapid increase in complexity and size of the average application, this requirement gets lost in the ether. Software Libraries are an integral aspect of your application’s functionality. It`s time that they are an integral part of your application’s security focus as well.
One question that several people have asked me over the years is this “Which is the most secure development platform/programming language in the world?” It is an honest question. It is quite pertinent, given the state of application security across the globe. However, it is akin to asking the question “Which language allows me to speak the best?” The answer to that question is “all of them” or “none of them”. Today, on the web, we have several languages/platforms/frameworks vying for attention. All of these languages have their disciples and zealots. Yes, you even find them for languages like Perl (to be taken in the right spirit ). Nevertheless, I would like to provide a glimpse into the current state of security of these programming languages and platforms, to give the most suitable response that I can provide for the question that most people ask me.
Firstly, let me start off by saying this. In my opinion, programming languages and platforms are like tools. A skilled and security-conscious developer can do amazing things with these languages and platforms. I can safely say that a developer who is aware of security requirements and their impact on an application, is truly the best defense against attacks. However, that is not the purpose of this article. For this article, I will divide my analysis into two segments, they are:
- The Established Order
- The New(er) Kids on the Block
The Established Order
The Established Order consists of languages and frameworks that have been used since the inception of web platforms. I am principally referring to Java, ASP.NET and PHP. I am going to ignore CGI and Perl simply because, I believe that most modern development across companies that I encounter do not depend on.
Lets start with PHP. PHP is a security tester’s dream. I have seldom found a secure PHP application that I have truly respected for its security implementation, which is scary because PHP is an extremely prevalent programming language on the interwebs. In addition, the simplicity of the language and the sheer number of PHP products (WordPress, etc) dominate the world of the web. An established PHP developer told me that the reason that PHP is so widely maligned from a security standpoint is that the language is splintered and distributed (a claim that I am not entirely sure of). Nevertheless, I find a rash of vulnerabilities with PHP applications and I can safely generalize that I find most of the highly vulnerable applications developed on PHP. Having said that, newer implementations of PHP that use frameworks like Zend and CakePHP seem to have handled several issues that we used to encounter on a routine basis.
Java has gotten a status of being an “enterprise platform/language”. I have seen Java either being used by Banks and Financial Institutions or established internet companies like Amazon and Google. I have observed that while Java devs seem to have handled Authentication issues, session management implementations with great comfort, I have seen several failings in Direct Object Reference attacks and Cross Site Scripting. The good thing with Java is that you have a great deal of code examples, lessons and tutorials on securing Java Apps, however, I still find that XSS and Direct Object Referencing issues are pervasive across most Java Apps that we test at Verinite. Java provides great strength with reference to Crypto and I find that log4j singlehandedly simplifies Logging and Log Management for Java. However, more programmatic security issues still persist with older Java web apps. Today, we have some great Java web frameworks like Spring, Play and Vaadin that handle several security issues right out of the box.
ASP.NET is a surprise on the web platform front. It is also an extremely popular and powerful platform that has been used extensively in several applications that I run into. Although one might scoff at Microsoft for its security flaws (in the OS), they have done great work with promoting and promulgating security features into the platform. I see very few issues with XSS, SQL Injection, Session Management, etc with DotNET, However, I still see Business Logic, Direct Object Reference and Authorization Flaws with the platform. I also find that DotNET Developers are more aware of security issues and impact as they seem to have several security references in their reference materials and API Documentation.
The New(er) kids on the Block
In this section, I focus on languages/platforms like Python (Django), Ruby on Rails, Angular, Node and so on. While some of these languages are not exactly “old”, I have seen some modern applications and new-age product companies use these platforms and frameworks in their products.
Let’s start with my personal favourite, Django (Python). I love Django. Its extremely simple and abstracts away all of the niggling security-related issues that you see requiring explicit attention with other platforms. Django pretty much solves XSS, Password Encryption, SQLinjection, Session flaws, Auth flaws, XSRF and Host Header Injection right out of the box. Its less verbose and highly effective to be used even for apps with massive scale. However, all this security sometimes dulls developers into thinking that they are invulnerable and they make serious errors in Business Logic Flaws, Direct Object Reference and other flaws. In addition, Django does not directly allow the use of Indirect Object maps, which makes fixing Direct Object reference flaws, a little cumbersome to say the least.
Ruby on Rails has made some impressive strides in security. However, some of you might remember that Github had massive security failures due to some insecure implementations of ActiveRecord and Mass Assignment in Ruby on Rails. Ruby on Rails devs also had some security nightmares in 2013 (read CVE-2013-0156). However, in my opinion things have been rather quiet on the Ruby security front since then. Ruby also enjoys some great APIs and apps that really make a developer’s life easy when implementing security. Apps like Brakeman and Codesake are highly used and appreciated by the Ruby Dev community. Rack is a middleware component that enjoys massive usage for its inbuilt security protections.
Angular JS and Node JS are defiinitely new kids on the block as they are used by the latest apps. They are usually used in conjunction with NoSQL Databases. I find that NoSQL databases are implemented in a very in-secure manner and thus we (at Verinite) find issues with these applications. We also see CSRF Issues and Web Services Auth Bypass issues with these apps. We also see HTTP Parameter Pollution with AngularJS Apps implemented with NoSQL quite often. Of course, we see some XSS attacks as well.
I think by now you would have understood that languages/platforms and their frameworks can facilitate security and its implementation. As I mentioned earlier, the most important defense against an application’s attacker is a skilled and security-conscious developer and organization that has planned, implemented and tested security extensively across the lifecycle. No language/platform or framework can serve as a defense against negligence and lack of awareness.
‘Phishing’ is a common word in the world of Internet Security. An attacker sends a victim an email or communication pretending to be a bank, or some other popular organization that the user potentially has a relationship with. The user clicks on a link, which opens up the attacker’s fake page (posing as the bank) and the user enters his/her username and password to authenticate, after which the attacker has the user’s credentials (and access to his account) to compromise the user’s account. This is a traditional phishing model, where attackers send millions of emails to users all over the world pretending to be from a bank, financial institution, government department, etc. and unassuming users have been cheated out of their money or their personal data, etc. The model here is one of volume and economies of scale. The attacker targets end-users and the more number of users the attacker hooks, the better it is. This model is also aimed at regular internet users using publicly available email like Gmail, Yahoo, etc.
Subsequently, attackers started to target corporations and enterprises with ‘Spear phishing’. This is a phishing attack that is aimed at a specific organization or an enterprise. The attacker looking to penetrate into a particular organization sends an email/communication to employees of the organization posing as an official email relating to the organization/from the organization and then stealing their credentials to access their accounts and subsequently use that information to compromise the enterprise.
Today, however, Spear phishing has evolved. It has become far more focused and deadly. For example, Savitha is an employee working on XYZ Bank. She receives an email from the Company’s Human Resources Department (fake) asking her to fill out a survey on the Employee Welfare practices. The mail looks genuine and has logos and wording very similar to the bank. Savitha clicks on the email and she is taken to a site with forms and a questionnaire. She fills it out, clicks submit and continues with her work. Little does she know, that as soon she clicked on the email and was taken to the site, the attacker had linked the page with a browser exploitation application and her browser was now compromised. The attacker’s browser exploit application had installed a keylogger that logs all of Savitha’s keystrokes, recording all her passwords to multiple applications including the company’s banking application, their email systems, etc. Additionally, the attacker’s application also exploits certain common vulnerabilities on her Windows system, providing complete access to the attacker on her machine, which the attacker can use to launch more specific attacks against the organization.
Modern Phishing attacks focus more on capturing the user’s browser and subsequently using that as a pivot to attack the machine and the enterprise. These attacks are made even more effective because organizations usually pay little attention to browser security. Browsers aren’t usually patched with the latest security updates, aren’t hardened to prevent attacks.
One of the ways that I have found effective is to conduct a Social Engineering Test or a Phishing tests against employees in the organization and share the results of that test in a Security Awareness Training Program. People are usually glued to the edge of their seat when they discover that they could be victims to such attacks. It is a far cry from the bland Security Awareness Training Program that organizations conduct for their employees.
Phishing attacks like many other attacks are evolving to become more dangerous and powerful. Only a proactive organization can prevent and curtail the effects of this kind of an attack against their people and infrastructure.