Академический Документы
Профессиональный Документы
Культура Документы
Security (Part 2 of 5)
abdelhameedqotb (25) (/@abdelhameedqotb)in #technology
(/trending/technology) • 3 years ago
Part II
This was a research I made with a Russian colleague year ago and thought
it might help someone out there.
Kindly note that at the end of this part you would nd References section
for the whole paper ( the 5 parts) this part and the upcoming ones, as it
would be dif cult to separate the references of each part
Also be noted that this paper was written to address Non-technical folks to
give them an overview of Securing the ATM
Training
Employee and contractor behavior is the primary source of costly data
breaches. It's also the best way to prevent loss.
Security can't be guaranteed.
As Clint Eastwood once said, "If you want a guarantee, buy a toaster." The
only secure system is one that's unplugged, turned off, and in a locked
room. Since it's not practical to leave our systems turned off, we need to
understand the risks to our systems and prepare ourselves to defend them.
Preparation begins with understanding — and that's where awareness
comes in. With all the news stories about hackers and breaches involving
personal information and ATM Security, it's easy for the security message
to sound over-used and tired. It's easy for people to say, "It won't happen
here." Yet, studies and surveys repeatedly show that: the human factor
(what employees do or don't do) is the biggest threat to information
systems and assets.
Example
Late one night in Kiev, an ATM started dispensing cash seemingly of its
own accord. In its investigation of the matter, Kaspersky Labs discovered
that the bank’s internal computers were compromised. These computers
were used by staff responsible for processing book keeping and daily
transfers. Malware called Carbanak was installed in the computer by a
targeted phishing attack and allowed the attackers to view everything done
on an infected system. Once the system is infected, Carbanak logs
keystrokes and takes screenshots every 20 seconds so it disclosed to the
hackers routine banking operations and procedures. Training employees
to identify phishing attacks and social engineering is of paramount
Login (/login.html) Sign up
importance. It is dif cult to protect against an employee with malicious
(/) (https://signup.steemit.com) (/search) (/submit.html)
intent, but at the very least, awareness training can reduces the risk of
malisons attack. Kaspersky has disclosed that more than 100 banks across
30 nations have had their accounts compromised by Carbanak. (Perlroth,
2015)
CIA
For over twenty years, information security has held con dentiality,
integrity and availability (known as the CIA triad) as the core principles of
information security. Many information security professionals rmly
believe that Accountability should be added as a core principle of
information security.
Con dentiality
Con dentiality is the term used to prevent the disclosure of information to
unauthorized individuals or systems. For example, an ATM transaction
requires the card to be physically present at the ATM, from which the
customer enters his PIN to authenticate the transaction and the ATM
processes the transaction through a secured network. The system attempts
to enforce con dentiality by encrypting the card number and PIN during
transmission, by limiting the places where it might appear (in databases,
log les, backups, printed receipts, and so on), and by restricting access to
the places where it is stored. If an unauthorized party obtains the non-
physical details in any way, a breach of con dentiality has occurred.
Breaches of con dentiality take many forms. Permitting someone to look
over your shoulder at the ATM screen while you are entering your PIN on
it could be a breach of con dentiality. If a laptop computer containing
sensitive information about a company's employees is stolen or sold, it
could result in a breach of con dentiality. Giving out con dential
information over the telephone Login
is a breach of con Sign
(/login.html) dentiality
up if the caller is
(/) (https://signup.steemit.com) (/search) (/submit.html)
not authorized to have the information. Con dentiality is necessary (but
not suf cient) for maintaining the privacy of the people whose personal
information a system holds. (Sattarova, F. Y. and Prof.Tao-hoon, 2007)
Integrity
In information security, integrity means that data cannot be modi ed
without authorization. This is not the same thing as referential integrity in
databases. For example, integrity is violated when an employee
accidentally or with malicious intent deletes important data les, when a
computer virus infects a computer, when an unauthorized user vandalizes
a web site, when someone is able to cast a very large number of votes in an
online poll, and so on. If an automated process is not written and tested
correctly, bulk updates to a database could alter data in an incorrect way,
leaving the integrity of the data compromised. Information security
professionals are tasked with nding ways to implement controls that
prevent errors of integrity. (Sattarova, F. Y. and Prof.Tao-hoon, 2007)
Availability
For any information system to serve its purpose, the information must be
available when it is needed. This means that the computing systems used
to store and process the information, the security controls used to protect
it, and the communication channels used to access it must be functioning
correctly. ATM systems aim to remain available at all times. Which means
preventing service disruptions due to power outages, hardware failures,
and system upgrades. Ensuring availability also involves preventing
denial-of service attacks. In 2002, Donn Parker proposed an alternative
model for the classic CIA triad that he called the six atomic elements of
information. The elements are con dentiality, possession, integrity,
authenticity, availability, and utility. (Sattarova, F. Y. and Prof.Tao-hoon,
2007)
Controls
When Management chooses to mitigate a risk, they will do so by
implementing one or more of three different types of controls.
Logical controls
Logical controls (also called technical controls) use so ware and data to
monitor and control access to information and computing systems. For
Loginand
example: PIN's, passwords, network (/login.html)
host basedSignrewalls,
up network
(/) (https://signup.steemit.com) (/search) (/submit.html)
intrusion detection systems, access control lists, and data encryption are
logical controls. An important logical control that is frequently overlooked
is the principle of least privilege. The principle of least privilege requires
that an individual, program or system process is not granted any more
access privileges than are necessary to perform the task. A blatant
example of the failure to adhere to this principle of least privilege is
logging into Windows as user Administrator to read Email and surf the
Web. Violations of this principle can also occur when an individual collects
additional access privileges over time. This happens when employees' job
duties change, or they are promoted to a new position, or they transfer to
another department. The access privileges required by their new duties
are frequently added onto their already existing access privileges which
may no longer be necessary or appropriate. (Sattarova, F. Y. and Prof.Tao-
hoon, 2007)
Physical controls
Physical controls monitor and control the environment of the work place
and computing facilities. They also monitor and control access to and
from such facilities. For example: doors, locks, heating and air
conditioning, smoke and re alarms, re suppression systems, cameras,
barricades, fencing, security guards, cable locks, etc. Separating the areas
that are freely accessible from those that should only be accessed with
suf cient authorization (Eg. wall mounting the ATM to deny back panel
access) is a very important measure for ATM security. An important
physical control that is frequently overlooked is the separation of duties.
Separation of duties ensures that an individual can not complete a critical
task by himself. For example: an employee should not also be able to
authorize himself to inspect/reload the ATM. Collusion between
employees is still possible, but the risk is smaller than giving all controls to
a single person. An applications programmer should not also be the server
administrator or the database administrator - these roles and
responsibilities must be separated from one another. (Sattarova, F. Y. and
Prof.Tao-hoon, 2007)
Brad, G. (2005,January 12) .The Role of the Security Analyst in the Systems
Development Life Cycle. SANS Institute Retrieved from
http://www.sans.org/reading-room/whitepapers/awareness/role-security-
analyst-systems-development-life-cycle-1601
PCI, (2010, October), PCI DSS Quick Reference Guide, Retrieved from
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%2
0Reference%20Guide.pdf
PCI Security Standards Council. (2013, Jan). PCI PIN Transaction Security
Point of Interaction Security Requirements (PCI PTS POI). Retrieved from
PCI website
https://www.pcisecuritystandards.org/pdfs/PCI_ATM_Security_Guidelines_
Info_Supplement.pdf
Weight, A. (Sept 2009). ATM Security Working Group. Best Practice for
Physical ATM Security. Retrieved from:
http://www.link.co.uk/SiteCollectionDocuments/Best_practice_for_physica
l_ATM_security.pdf
#cryptocurrency (/trending/cryptocurrency)
you-need-to-know-about-atm-
security-part-2-of-5)