Executive Summary
advertisement
CYBERCRIME WORKSHOP (27th – 28th October 2010) TECHNOLOGY PARTNERS LIMITED And NETWORK INTELLIGENCE (INDIA) PVT. LTD. EXECUTIVE SUMMARY 1.1 INTRODUCTION Cyber crime and financial crime have now truly blended together into a menacing and malicious force that threatens to destabilize not only the financial networks off the world, but also potentially threatens to affect national security itself. As a country looking to lead the African continent, Kenya has always shown great foresight in implementation of global standards and benchmarks. The time has come for the banking and financial industry to look at leading from the front in implementation of a National Financial Cyber-Security Framework. 1.2 BACKGROUND OF THE ENGAGEMENT This proposal outlines the need for conducting a national level workshop involving all the banking and financial sector leaders to evolve a national consensus on Cyber Security. You may kindly note that NII consultants and trainers have extensive experience within the BFSI domain across the globe: 1. National Commercial Bank – largest bank in Saudi Arabia 2. Samba Financial Group – second largest bank in Saudi Arabia 3. Abu Dhabi Stock Exchange 4. Bank Al Boubyan 5. Ahli Bank Kuwait 6. Royal & Sun Alliance 7. Bank Muscat 8. Bank of India 9. State Bank of India 10. HSBC 11. BNP Paribas 12. ICICI Prudential 13. Sharekhan 14. ENAM 15. Indiabulls 16. Dubai Financial Market 1.3 SCOPE OF WORK The scope of this proposal covers the following stages: 1.3.1 STAGE A – WORKSHOP ON CYBERCRIME AND INVESTIGATION Conduct an eye-opening workshop highlighting the state of cybercrime across the world and targeted at the Banking and Financial Services Industry. The workshop will also focus on the tools and techniques available for forensics investigations 1.4 ENGAGEMENT BENEFITS A comprehensive information security audit exercise delivers a number of benefits to the client. Some of these are: 1.4.1 AWARENESS Create tremendous awareness of the global state of cyber crime, techniques of financial criminals, as well as the tools and techniques available to cybercrime investigators. 1.4.2 DETERMINE SECURITY POSTURE This exercise helps to identify vulnerabilities and helps identify the comprehensive security status of the network. The identified vulnerabilities could have a material impact on the organization’s financial position and reputation. It also identifies the controls that must be implemented to mitigate the identified security risks. 1.4.3 ASSURANCE TO CLIENTS AND OTHER STAKEHOLDERS The organization’s commitment to get these assessments conducted, and act on the recommendations provides assurance to customers and stakeholders that it is willing to be evaluated against industry standards and adopt those. 1.4.4 PRIORITIZE INVESTMENTS IN INFRASTRUCTURE One of the deliverables of this service is a quality security test report which gives high clarity to top management and helps prioritize actions for the security team. This exercise helps to identify the areas in which the organization would need to invest in terms of upgrading or enhancing its IT infrastructure. It would provide a clear picture to senior management of the benefits of investing in specific technologies, as well as Return on Investment (ROI) for the current infrastructure. 1.4.5 AID IN DEVELOPING IT STRATEGY This assessment will help develop an IT strategy by identifying focus and growth areas, as well as best practices in the implementation of the strategy. 1.5 WHY NII Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. The top reasons that make us the primary choice for numerous organizations are: 1.5.1 AUTOMATED TOOLS FOR TECHNICAL ASSESSMENT AuditPro is a comprehensive policy-based security auditing tool for Windows 2003/XP/2000, Linux, Oracle and MS SQL Server. It is very powerful for conducting the technical assessment and many of the features are in lines for ISO 27001 and other international standards. Firesec is a firewall configuration analysis tool for Cisco PIX, Netscreen, and Cyberguard firewalls. 1.5.2 EXTENSIVE CONSULTING EXPERIENCE We have provided the profiles of the consultants who will be engaged in this assignment. They are highly certified as well as experienced in network and security audits. Some of the pertinent certifications are: Certified Information Systems Security Professionals (CISSP) Certified Information Systems Auditors (CISA) Certified Information Security Managers (CISM) BS 25999 Lead Auditor (Business Continuity Management) ISO 27001 Lead Auditor and Implementor Certified Ethical Hackers (CEH) Cisco Certified Network Associate (CCNA) Microsoft Certified Systems Engineer (MCSE) 1.5.3 SOME OF OUR PRESTIGIOUS CLIENTS FOR SECURITY AUDITS INCLUDE: Clients Sector Country Atlas Air Worldwide Holdings, Inc Al Ahli Bank Bank Muscat Bank of Bahrain and Kuwait Gulf Bank Leading Bank in Japan National Commercial Bank State Bank of India United National Bank Bank of Rajasthan Abu Dhabi Chamber of Commerce and Industry Saudi Telecom Dubai Financial Market Gulf Research Center ICICI Prudential Life Insurance Company Karvy Computer Share Pvt. Ltd. Northwestern Mutual SBI Life Insurance Sharekhan Epicenter Technologies Pvt. Ltd. Indusa Infotech Services Pvt. Ltd Integreon Managed Solutions Pvt. Ltd. Tracmail (India) Pvt. Ltd Google-Store.com People Interactive (I) Pvt. Ltd. Mozilla-Store.com Tajonline Zapak GroupM Media India Pvt. Ltd. United Nations World Food Programme Atos Origin India Pvt. Ltd. CAPGEMINI Prana Studios Pvt. Ltd. Tata Interactive Services Bahrain Telecom AIRLINES BANK BANK BANK BANK BANK BANK BANK BANK BANK BFSI TELECOM BFSI BFSI BFSI BFSI BFSI BFSI BFSI BPO BPO BPO BPO E-COMMERCE E-COMMERCE E-COMMERCE E-COMMERCE E-COMMERCE MEDIA NGO SOFTWARE SOFTWARE SOFTWARE SOFTWARE TELECOM USA KUWAIT MUSCAT BAHRAIN KUWAIT JAPAN KSA INDIA UAE INDIA UAE KSA UAE UAE INDIA INDIA USA INDIA INDIA INDIA INDIA INDIA INDIA USA INDIA USA INDIA INDIA INDIA ITALY INDIA INDIA INDIA INDIA BAHRAIN 1.5.4 AN UNYIELDING COMMITMENT TO SECURITY RESEARCH Our teams are constantly engaged in extensive research covering various aspects of information security and penetration testing. The results from these efforts are available at http://www.niiconsulting.com/innovation.html and have been well-received by the security community and some of these are listed below: Significant contribution to the OWASP Guide and the ISSAF by our principal consultant K. K. Mookhey Author of book on Metasploit Framework by Syngress Publishing Numerous articles by our consultants published at SecurityFocus, IT Audit and Checkmate Presentations at prestigious security conferences such as Blackhat (Las Vegas), Interop and IT Underground Security researchers at NII have discovered vulnerabilities in software from vendors such as Oracle, Microsoft, Nortel, and others. Adopted responsible disclosure to ensure vendors fix these vulnerabilities 1.5.5 CONTINUOUSLY IMPROVING AND EXPANSIVE METHODOLOGY Our penetration testing methodology adopts and adapts best-practice frameworks such as OWASP, OSSTMM and ISSAF. Our endeavor to continuously ideate, innovate and improve ensures that with every test, we customize our approach, scripts and tools to ensure a comprehensive assessment of the internal and external security vulnerabilities. More often than not during any penetration testing engagement, we come up with our own tools. Our in house and most popular tools used by many organizations are AuditPro and Firesec. 1.5.6 INTERNATIONAL AND DOMESTIC ACCREDITATION NII is one of the first Information Security consulting firms to have achieved the ISO/IEC 27001 certification - http://www.niiconsulting.com/NII_ISO_Certification.html. The scope of our certification covers all our services, and ensures secure transmission, storage and disposal of all client confidential information. NII is also empanelled as a security auditor by the CERT-In, the Indian Computer Emergency Response Team, an initiative of the Government of India. NII is also registered with the United Nations Global Marketplace, as an accepted vendor to UN organizations such as WFP, FAO, UNESCO, etc. TRAINING CONTENTS 1.6 CYBER CRIME The term cyber-crime no longer refers only to hackers and other external attackers. Almost all every case of financial fraud or employee misuse involves a very strong element of computerbased evidence. NII has been providing professional computer forensics services to clients for the past four years. It now brings together its consolidated expertise into a two-day hands-on workshop on Certified Professional Forensic Analyst (CPFA).The entire workshop is driven by hands-on exercises and case studies to ensure that all aspects have a real-life scenario-based approach. 1.6.1 KEY BENEFITS: What should one do when there is a suspicion of a computer-based crime? What tools and techniques are most likely to yield the right set of clues? How should the investigation be carried out such that it can be presented in a court of law? Hands-on practice with the worlds’ leading forensics tool – Encase Helps you prepare for the SANS GCFA and EC-Council’s CHFI Become a IIS Certified Forensics Professional (ICFP) 1.6.2 WHO SHOULD ATTEND THIS COURSE? Auditors and financial fraud examiners Chief Security Officers and Chief Technology Officers Professionals seeking a career in computer forensics and cyber crime investigations Security and Network Administrators 1.6.3 COURSE OUTLINE 1.6.4 COMPUTER CRIME – CASE STUDIES THREAT SCENARIOS Hacking Incidents Financial Theft Theft of Identity Corporate Espionage Email Misuse Pornography 1.6.5 INTRODUCTION TO INCIDENT RESPONSE AND COMPUTER FORENSICS Pre-Incident Preparation Detection of Incidents Initial Response Phase Preserving “Chain of Custody” Response Strategy Formulation Evidence Collection and Analysis o Defining Evidence o Forensically Sound Evidence Collection o Evidence Handling o Host Vs Network Based Evidence o Online Vs Offline Response Digital Forensics - Putting on the Gloves o The 6 A's o The Investigative Guidelines o Disk-based Forensics Vs Network-based Forensics Reporting the Investigation 1.6.6 INTRODUCTION TO NETWORK FORENSICS Network Devices Introduction to Log Analysis Analyzing Snort and Firewall Logs Analyzing Apache, IIS, Squid Logs Network Intrusion Case Study Using Tcpdump, Snort, Tcpdstat, argus, tcpflow, tcptrace 1.6.7 EVIDENCE COLLECTION AND ANALYSIS - INTRODUCTION TO LIVE RESPONSE The Do’s and the Don’ts Windows Live Response Linux Live Response 1.6.8 DATA ACQUISITION / DISK IMAGING Learning the rope – the essentials Risk Imaging using Linux ( dd, sdd, dcfldd) and Netcat Disk Imaging using Encase, Helix Bootable disk 1.6.9 FORENSICS ANALYSIS OF THE EVIDENCE Analysis using Helix Basic and advanced analysis using Encase v5 Forensic edition 1.6.10 FORENSICS ANALYSIS - INTERNET MISUSE - BROWSER FORENSICS Understanding Browser history artifacts Browser Forensics o Using Encase o Using Netanalysis, WebHistorian 1.6.11 DIGGING DEEP INTO THE CYBER WORLD - EMAIL AND WEBSITE TRACING Using SmartWhois, Neotrace 1.6.12 WINDOWS REGISTRY FORENSICS Understanding Registry structure Understanding MRU lists Understanding UserAssist Registry Forensics using ENCASE 1.6.13 MALICIOUS BINARY ANALYSIS Using IDA freeware Using strings.exe Using BinText Using Regmon, Tcpmon Using Peid 1.6.14 DOCUMENTING THE INVESTIGATION 1.6.15 FORENSICS CHALLENGE CASE STUDY 1.6.16 TOOLS USED Encase Forensic edition Helix Bootable CD The Coroner’s Toolkit Tcpdump Snort Tcpdstat Argus Tcpflow Tcptrace Ethereal Neotrace Smartwhois Peid NetAnalysis Web Historian Bintext IDA freeware CONSULTANT PROFILES 1.7 PROJECT TEAM STAFFING: NAME TITLE CERTIFICATIONS BANKING AND OVERALL EXPERIENCE K.K. MOOKHEY PRINCIPAL CONSULTANT CISSP, CISM, CISA, BS 7799 OVER 9 YEARS’ OF EXPERIENCE IN INFORMATION SECURITY, ESPECIALLY IN THE TELECOM, BFSI AND IT/ITES SECTORS. CLIENTS INCLUDE SAMBA FINANCIAL GROUP, UNITED NATIONS WFP, ABU DHABI STOCK EXCHANGE, DUBAI FINANCIAL MARKET, SHAREKHAN, ETC. TAUFIQ ALI TEAM LEADTECHNICAL ASSESSMENT CEH OVER 3 YEARS’ OF EXPERIENCE, HE IS A LEAD SECURITY PROGRAMMER, VULNERABILITY ASSESSOR, AND PENETRATION TESTER AT NII. HE IS ALSO A CERTIFIED ETHICAL HACKER, AND HAS PERFORMED VULNERABILITY ASSESSMENT, BUSINESS LOGIC PENETRATION TESTING FOR SOME OF NII’S PREMIER CUSTOMERS. HE HAS CONSISTENTLY IMPRESSED CLIENTS WITH HIS ABILITY TO THINK OUT OF THE BOX, AND CREATIVELY ATTACK SYSTEMS AND APPLICATIONS. HE IS WELL-VERSED WITH THE OWASP, OSSTMM LIKE METHODOLOGIES T ABLE 1: P ROJECT T EAM K. K. MOOKHEY – PRINCIPAL CONSULTANT Summary Kanwal K. Mookhey (CISA, CISSP, CISM) is the Principal Consultant and Founder at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients such as the The Indian Navy, United Nations, Abu Dhabi & Dubai Stock Exchanges, State Bank of India, Atos Origin, Saudi Telecom, World Customs Organization, Capgemini, Royal & Sun Alliance, and many others. His skills and know-how encompass risk management, compliance, business continuity, application security, computer forensics, and penetration testing. He is well-versed with international standards such as COBIT, ISO 27001, PCI DSS, BS 25999, and ITIL / ISO 20000. He is the author of two books (Linux Security And Controls by ISACA, and Metasploit Framework, by Syngress Publishing), and of numerous articles on information security. He has also presented at conferences such as OWASP, Blackhat, Interop, IT Underground and others. Certifications Areas of Expertise Technical Skills Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) BS 7799 Lead Implementor from BSI IT Governance, Risk Management & Compliance Penetration Testing Fraud Investigations Digital Forensics & Cyber Laws Compliance Security Architecture Business Continuity and Disaster Recovery Security Evangelism Telecom and BFSI Security Cryptography TCP/IP Security Telecom Security Application Security & Secure Coding Well-versed with security of numerous o Operating Systems o Databases o Firewalls o IDS/IPS o Security Event Management solutions o Data Leakage Prevention solutions o Identity Management solutions o Network Access Control solutions o Unified Threat Management solutions o Anti-virus and Anti-spam solutions Digital forensics tools and techniques Commercial and open-source security assessment tools Other skills Strong communication and inter-personal skills Strong project management skills and know-how Public speaking and presentation skills Training Well-recognized as a trainer, and have won numerous accolades for hundreds of skills workshops conducted for prestigious clients such as Reserve Bank of India The Indian Navy Institute of Chartered Accountants of India ISACA Mumbai Chapter Books Linux Security, Audit and Control Features, published by ISACA Metasploit Framework – Syngress Publishing The Ultimate Startup Guide Security Articles and Publications Articles & Auditing IT Project Management Research http://www.theiia.org/itaudit/features/in-depth-features-5-108/auditing-it-project-management/ IT Audit, by the Institute of Internal Auditors, May 2008 Key Strategies for Implementing ISO 27001 http://www.theiia.org/ITAuditArchive/?aid=2047&iid=440 IT Audit, by the Institute of Internal Auditors, February 2006 Evaluating Application Security Controls http://www.theiia.org/ITAuditArchive/?aid=2682&iid=541 IT Audit, by the Institute of Internal Auditors, June 2007 Penetration Testing of IPSec VPNs http://www.securityfocus.com/1821 Common Criteria – an overview Information Systems Control Journal by ISACA, Volume 1, 2005 The Metasploit Framework (3-part article) http://www.securityfocus.com/1789 Common Security Vulnerabilities in e-commerce systems http://www.securityfocus.com/infocus/1775 Detection of SQL Injection and Cross-site Scripting Attacks http://www.securityfocus.com/infocus/1768 Auditing Oracle Security http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=550 9 Conferences Press and Interviews Testimonial s Open Source Tools for Security and Control Assessment Information Systems Control Journal by ISACA, Volume 1, 2004 Apache Security Controls and Auditing Information Systems Control Journal by ISACA, Volume 5, 2003 “Penetration Testing vs. Source Code Review” at OWASP Asia 2009 – New Delhi “Risk-based Penetration Testing” at OWASP Asia 2008 – Taiwan Interop India 2009 – Wireless Security and Chair of Session on Network Access Control “Cyber security for Netizens” at Bangalore Cyber Security Summit, 2009 “Digital Forensics in Fraud Investigation” at Seminar on Fraud and Forensic Accounting, Mumbai 2009 “Business Web Application Testing”, OWASP Asia 2008, Taiwan “Web Application Security”, Networld+Interop, Las Vegas 2005 “Evasion and Detection of Web Application Attacks”, BlackHat USA, 2004 “VPN Security Assessment”, IT Underground 2005, Prague, Czech Republic “Computer Forensics”, Seminar on “Fraud Management”, by Marcus Evans 2004, 2008, 2009 Linux Security, Audit and Control Guidance Featured In New Book from Information Systems Audit and Control Association “Neo has a new business model”, Economic Times, Front Page, 11th September 2004 http://economictimes.indiatimes.com/articleshow/847169.cms “Tips for ferreting out vulnerable code”, Loop, August 2004 http://loop.interop.com/comments.php?id=217_0_1_0_C “Security Assessment Methodology – Cover Story”, Network Magazine, December 2001 http://www.networkmagazineindia.com/200112/cover2.htm “Linux Based Firewall Case Study”, March 2004 http://www.cxotoday.com/cxo/jsp/printstory.jsp?storyid=709 “KK and his team did a brilliant job in guiding us towards the 27001 certification. Their approach was very methodical and systematic right from the stage of gathering requirements in the initial stages to the documentation work and then trainings and audit readiness stages. In fact what I liked the most about KK's approach was that he focused on transferring his knowledge to us which has enabled us to sustain the improvements even without his involvement. They never restricted themselves to the scope of the contract. They were willing to that extra mile to make sure that it added business value to us.” Prabhanjan Pandurang, Director Quality and Continuous Improvement, Integreon “KK is a smart security professional and a great presenter as well.” Anton Chuvakin, Director of PCI Compliance Solutions, Qualys “Working with KK is a real pleasure. He has excellent management and analytical skills. He knows his job very well and is really good at managing customer expectations in a complex project environment.” Hasan Qutbi, Partner, Solution Intelligence FZ LLC “Kanwal is one of the most dynamic, innovative and hardworking induviduals I have met in the Information Security space. His past work and achievements speak for himself.” Kartik Shinde, Manager, KPMG
