Development and Industrial Application of Multi-Domain Security Testing Technologies

Similar documents
Securing and Accelerating Databases In Minutes using GreenSQL

WIND RIVER SECURE ANDROID CAPABILITY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

White Paper Secure Reverse Proxy Server and Web Application Firewall

Introduction to Penetration Testing Graham Weston

Essential IT Security Testing

Securing VoIP Networks using graded Protection Levels

Windows Remote Access

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Tableau Online Security in the Cloud

Application Security Testing

Maruleng Local Municipality

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Integration Technologies Group (ITG) ITIL V3 Service Asset and Configuration Management Assessment Robert R. Vespe Page 1 of 19

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Automatic Hotspot Logon

Enterprise K12 Network Security Policy

8 Steps for Network Security Protection

Application Intrusion Detection

8 Steps For Network Security Protection

Network Test Labs (NTL) Software Testing Services for igaming

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Security Controls for the Autodesk 360 Managed Services

SQL SERVER Anti-Forensics. Cesar Cerrudo

SAVMDS: A Software Application Vulnerability Management Dashboard System

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Loophole+ with Ethical Hacking and Penetration Testing

Cross Site Scripting in Joomla Acajoom Component

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

BlackBerry 10.3 Work and Personal Corporate

FORBIDDEN - Ethical Hacking Workshop Duration

Client logo placeholder XXX REPORT. Page 1 of 37

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

Common Criteria Web Application Security Scoring CCWAPSS

Cyber Security for SCADA/ICS Networks

Security Implications Associated with Mass Notification Systems

CONTENTS. PCI DSS Compliance Guide

Last update: February 23, 2004

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Information Technology Branch Access Control Technical Standard

Security Certification of Third- Parties Applications

Module 5 Introduction to Processes and Controls

Conducting an IP Telephony Security Assessment

Risk Management in the Development Process A Progress Report

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

ICAB5238B Build a highly secure firewall

Standard: Web Application Development

Windows Operating Systems. Basic Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security and Vulnerability Testing How critical it is?

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

REDCENTRIC MANAGED ARCHIVE SERVICE SERVICE DEFINITION

13 Ways Through A Firewall

SharePoint Governance Execution

The monsters under the bed are real World Tour

Adobe Systems Incorporated

Security Issues with Integrated Smart Buildings

LEARNING SOLUTIONS website milner.com/learning phone

Voice Over IP (VoIP) Denial of Service (DoS)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

NAPT. (SV8100 version 3.0 or higher)

How To Protect Your Network From Attack From A Hacker (For A Fee)

Network & Information Security Policy

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

CA ARCserve and CA XOsoft r12.5 Best Practices for protecting Microsoft Exchange

Evaluation Report. Office of Inspector General

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

How To Improve Alancom Vpn On A Pc Or Mac Or Ipad (For A Laptop) With A Network Card (For Ipad) With An Ipad Or Ipa (For An Ipa) With The Ipa 2.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Securing Corporate on Personal Mobile Devices

Microsoft SQL Server Express 2005 Install Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PPC s SMART Practice Aids Prepare for Installing database upgrade to SQL Express 2008 R2

Where every interaction matters.

Thick Client Application Security

Application Security Testing. Generic Test Strategy

DEVELOP ROBOTS DEVELOPROBOTS. We Innovate Your Business

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Overview of computer and communications security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Quick Start Guide for OnTime Now

Best Practices Report

13 Ways Through A Firewall What you don t know will hurt you

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Recommended Practice Case Study: Cross-Site Scripting. February 2007

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

The Cloud App Visibility Blindspot

SAFECode Security Development Lifecycle (SDL)

Taxonomic Modeling of Security Threats in Software Defined Networking

How To Protect Information At De Montfort University

Link Layer and Network Layer Security for Wireless Networks

Deploy Remote Desktop Gateway on the AWS Cloud

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Unified Threat Management, Managed Security, and the Cloud Services Model

How To Use Windows Live Family Safety On Windows 7 (32 Bit) And Windows Live Safety (64 Bit) On A Pc Or Mac Or Ipad (32)

A Proxy-Based Data Security Solution in Mobile Cloud

Transcription:

Development and Industrial Application of Multi-Domain Security Testing Technologies Case Study Experience Sheet Trusted Service Manager (TSM) Case Study from Gemalto

Telecommunication Case Gemalto Characterization The Trusted Service Manager (TSM) remotely manages NFC services on behalf of service providers into end user mobile secure elements: Secure element can be a SIM card or a μsd NFC service could be payment or transport card, hotel key, loyalty card WAN MNO SP LAN VPN TSM VPN CCI Admin RP End User RP FE MNO = Mobile Network Operator SP = Service Provider Admin = Administrator RP = reverse proxy FE = TSM Front End

Characterization Security challenges Restricted access to web services: The access to all web services should be restricted to authorized users. Accessing a web service allows provisioning the Trusted Service Manager and launching service activation, deletion, lock... Prevent Admin Hijacking: The administrator account of the operation system, the database and the TSM application should be secured to prevent hijacking this account. Hijacking an administrator account is used to get the privileges of an administrator account. Prevent manipulation of database data: The database contains sensitive information about the end user such as MSISDN or banking personalization data. The data in the database should be secured to prevent manipulation. Prevent infiltration/manipulation of software: The trusted service manager should be secured to prevent manipulation and infiltration. Software manipulation can be used to fake data or to provoke errors on the trusted service manager behavior. Case study: testing TSM behavior in case of attack Interface 1: Provisioning of database with corrupted data (state-charts) with admin access (restricted access to web service and admin hijacking) Interface 2: Sending back fake data (infiltration / manipulation)

Test interfaces - Service denial - Falsification Not included - SQL injection in tests - Jamming 1.SP/Admin d c TSM 2.TSM d c remote secure element (in mobile) 3. TSM d c MNO 4. JMX events for monitoring interface

Results Tests run without MMOG (Gemalto smart reverse proxy filtering first level of attacks) Only testing of TSM: not full system as in production environment Results to be mitigate compare with MMOG usage Focus on risks related to Configuration / provisioning modification (interface 1) Manipulation of data (interface 2) Until now, 2 weaknesses were found Both are corrected in new product version Confidence in the security of the system is strengthened Metrics TSM stability / robustness Security property definition

Exploitation For risk analysis has been proved of value graphical modelling specification of assets to be protected Saved resources due to reuse of functional test cases and reuse of test execution environment for non-functional security testing integration of data fuzzing in the TTCN-3 execution environment keeps the behavioural model clean and concise allows easy combination of data and behavioural fuzzing Standardization of DIAMONDS results provides certification options for products with security requirements

Summary Improvement gains according to DIAMONDS STIP: Automated test environment For complex scenarios: several approaches combination (dynamic behavior verification) Reusable for functional and nonfunctional security testing Definition of security properties Extendable model (database check or new properties)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information