Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Similar documents
Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Multi-Factor Authentication of Online Transactions

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

WHITE PAPER Usher Mobile Identity Platform

Potential Targets - Field Devices

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Web Application Security Considerations

Detailed Description about course module wise:

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Enhancing Web Application Security

How To Use A Femtocell (Hbn) On A Cell Phone (Hbt) On An Ipad Or Ipad (Hnt) On Your Cell Phone On A Sim Card (For Kids) On The Ipad/Iph

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Where every interaction matters.

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Security aspects of e-tailing. Chapter 7

Using Foundstone CookieDigger to Analyze Web Session Management

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

The Key to Secure Online Financial Transactions

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Entrust IdentityGuard

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Cisco Advanced Services for Network Security

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Using Entrust certificates with VPN

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

The Top Web Application Attacks: Are you vulnerable?

OPENID AUTHENTICATION SECURITY

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Guidance on Multi-factor Authentication

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Internet Banking System Web Application Penetration Test Report

What is Web Security? Motivation

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

VOICE OVER IP SECURITY

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

T. Venkat Narayana Rao et al IJCSET October 2011 Vol 1, Issue 9,

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Multi-factor authentication

Two-Factor Authentication and Swivel

Threat Modeling for Secure Embedded Software

Sitefinity Security and Best Practices

Kommunikationsdienste im Internet Möglichkeiten und Risiken

Evaluation of different Open Source Identity management Systems

Layered security in authentication. An effective defense against Phishing and Pharming

How To Secure Wireless Networks

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Data Management & Protection: Common Definitions

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Welcome to the Protecting Your Identity. Training Module


How CA Arcot Solutions Protect Against Internet Threats

Identity Federation Broker for Service Cloud

SecurityMetrics Vision whitepaper

NIST s Guide to Secure Web Services

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

User Identification and Authentication Concepts

Biometric Single Sign-on using SAML

Application Security: Threats and Architecture

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

74% 96 Action Items. Compliance

Information Security Basic Concepts

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Data Protection: From PKI to Virtualization & Cloud

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Cloud Computing Security Considerations

Last update: February 23, 2004

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Chapter 1: Introduction

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Glossary of Key Terms

Transcription:

Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A.

Scope and Agenda Scope: Description of attacks against identity management systems and presentation of design principles for secure implementations. Agenda: Identity management definition, protocols and technologies. Threat model: Attack Trees. Design principles for addressing attacks. Conclusions.

Identity Management Identity Management: The identification of individuals in a system and the control of their access to resources within that system, by associating user rights and restrictions with an established identity. Identity Federation: The binding of two entities in an identity management system. Protocols: Liberty Alliance Specifications, Shibboleth, MS-Passport, IBM-BBAE. Authentication methods: Passwords, Soft/Hard Certificates, OTP, Challenge-response, Biometrics, Knowledge-based id verification.

Problem Definition and Approach Problem: (Federated) Identity management mechanisms are vulnerable to attacks. Approach for addressing the problem: 1. Define vulnerabilities and attacks in detail: Threat Modeling. 2. Assess existing mechanisms against the Threat Model. 3. Design an integrated mechanism for addressing the attacks of the Threat Model.

Attack trees: Threat Modeling A formal methodology for analyzing the security of systems and subsystems (Schneier, B. 1999). They provide a way to think about security, to capture and reuse expertise about security, and to respond to changes in security. Attack tree components: Root Node: Final result of the attack = Impact. Leaf Nodes: Attack path. Child Nodes: Groups of vulnerabilities for each part of the process.

Threat Model User Impact Business Impact Financial Impact Obloguy Legal Problems Financial Impact Reputation Loss Legal Problems Identity Theft Use of Credentials by Attacker Submission of Credentials to Attacker User Credential Compromise Hidden Code Worms and bots Malicious e-mails User Client Attacks Use of Credentials by Attacker User Credential Compromise User Surveillance Token Stealing Social engineering / E- mail phishing User-side Attacks Use of Credentials by Attacker User Credential Compromise SC Analyzers SC Reader Manipulation OTP window exploit User Credential Guessing Token Attacks Use of Credentials by Attacker User Credential Compromise Direction to Malicious Website Web Page Obsfucation Pharming URL Phishing Use of Credentials by Attacker User Credential Compromise Man-in-themiddle Sniffing Session hijacking Protocol Attacks User Authentication Bypassing

Security Assessment Several vulnerabilities have been reported that permit the attacks of the Threat Model: E.g. SAML Artifact profile: Man in the middle and replay attacks.

Designing secure solutions - Entities Enable security for all elements in the identity management service provision path: User. User Client. Identity provider: IdP Service: manages identity information on behalf of the users and provides assertions of user authentication to other providers. DiscS: enables various entities to discover a user s registered identity services. Service Provider: Profile Service:exposes a protocol interface to a set of resources, including identity attributes related to the service. Service.

IDM Entity Interaction Basic Protocol

Principles per element: User & Client Educate the user and create security awareness on the use of credentials. Deploy at least two-factor authentication. For increased security bind the credentials with the user: Biometrics. Knowledge-based identity verification. Deploy client security guidelines but consider clients as insecure.

Principles per element: Identity Provider Ensure user identity privacy by deploying the transferring of temporary artifacts. Do not submit real identities but profile pointers. Establish mutual authentication between Identity Provider and Service Provider elements. Add randomness to the messages exchanged and life-limits of exchanged artifacts as an additional countermeasure for replay protection.

Principles per element: Service Provider Keep set of attributes linked to profiles securely non exportable / do not submit. Establish mutual authentication between Service Provider and Client. Enable encryption and MAC for establishing confidentiality and integrity in communications. Implement session state management against session hijacking. Harden Service Provision Gateways. Search for Phishing Sites replicating / spoofing the service.

Conclusions Attack types vary. Successful attacks may cause financial impact, legal problems or reputation loss to Service Providers and Users. Identity Management systems require a comprehensive ongoing security analysis. All paths in the attack tree should be addressed by studying the whole service provision path, not in an ad-hoc, standalone but in an integrated holistic manner.

Thank you Dr. Christos K. Dimitriadis, CISM, CISA Security Officer [W] www.intralot.com [e-mail] dimitriadis@intralot.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information