Day 1-Session I Vijay Mauree, ITU Security...
Transcript of Day 1-Session I Vijay Mauree, ITU Security...
![Page 1: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/1.jpg)
DFS Security Assurance Framework
Vijay Mauree, ITU
![Page 2: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/2.jpg)
Allocation of radiofrequency spectrum and satellite orbits
Bridging the digital divide
Establishing internationalstandards
‘Committed to Connecting the
World’
About ITU
UN specialized agency for ICTs
ITU Website: www.itu.int
![Page 3: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/3.jpg)
About ITU
MEMBER STATES PRIVATE-SECTOR ENTITIES
ACADEMIA
* Academia admitted to 3 Sectors of ITU for a single fee
![Page 4: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/4.jpg)
FIGI Security, Infrastructure and Trust WGLed by ITUObjectives
• Build confidence and trust in the use of DFS• Develop technical guidelines and best practices for
application security• Address cybersecurity issues in payments• Address unlicensed digital investment schemes (digital
ponzi schemes)• Investigate impact of new technologies on security and
consumer protectionMore info see SIT WG Website:
https://www.itu.int/en/ITU-T/extcoop/figisymposium/Pages/FIGISITWG.aspx
![Page 5: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/5.jpg)
DFS Security Assurance Framework
Objectives
Identify DFS Security Threats and VulnerabilitiesPropose Mitigation Measures to Security ThreatsDevelop Guidelines For a DFS Security Audit
![Page 6: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/6.jpg)
How this framework is formulated
ISO 27001 – Risk Management Framework
DFS Stakeholder Analysis for vulnerabilities and threats entry points
We also consider elements of DFS ecosystems for:
Mobile payments using USSD, SMS, IVR and STK
Mobile payment applications and digital wallets (e.g. Google Pay, Apple Pay,
WeChat Pay).
![Page 7: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/7.jpg)
The ITU Recommendation X.805The ITU-T Recommendation X.805 security architecture has eight ‘security dimensions’, which are measures designed to address a particular aspect of network security. We use these dimensions to classify and categorize the security controls for the different threats within the DFS ecosystem.
![Page 8: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/8.jpg)
Elements of a DFS ecosystem using USSD, SMS, IVR, STK and NSDT
![Page 9: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/9.jpg)
Mobile payment applications and digital wallets
Adopted from ENISA
![Page 10: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/10.jpg)
Risk Assessment Framework (ISO 27001)
Risk Identification
Identify DFS assetsIdentify associated
vulnerabilitiesIdentify threatsIdentify Existing controlsIdentify consequences
Risk Analysis
Assessment of consequencesLikelihood and impact of
occurrenceDefine inherent risksDefinition of rsidual risks
Risk Evaluation
Identify controls implemented to reduce vulnerability
Evaluate effectiveness of existing controls
Define Risk Impact
![Page 11: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/11.jpg)
The Threats to DFS Ecosystem
![Page 12: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/12.jpg)
Controls
Use X.805 security dimensions as a way of classifying the vulnerabilities that arise from the threatsCategorize the controls in terms of generalized threats:
allows coalescing of threats common across multiple stakeholders to simplify discussionRisks, vulnerabilities, and threats discussed relative to
the given stakeholder
![Page 13: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/13.jpg)
Example Threat: Account and Session Hijacking
General threat: ability of an attacker to take control of an account or a communication session
Affected entities (DFS stakeholders): DFS Provider, MNO
![Page 14: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/14.jpg)
Example Threat: Account and Session Hijacking
At the DFS provider:Risk: data exposure and modificationVulnerability: Use of credentials to elevate accessX.805 Security dimension: access controlControls:C1: Set user session timeouts and auto logouts for access to DFS applications
(logical sessions). Within the application, ensure support for password complexity (enforced by the server), set unsuccessful login attempts, password history and reuse periods, account lock-out periods to a reasonable minimal value in order to minimize the potential for offline attack.
![Page 15: Day 1-Session I Vijay Mauree, ITU Security …pubdocs.worldbank.org/en/997791573483459619/Day-1...Microsoft PowerPoint - Day 1-Session I Vijay Mauree, ITU Security Assurance Framework2audio.pptx](https://reader034.fdocuments.net/reader034/viewer/2022050509/5f99b7616844913ba1313fa3/html5/thumbnails/15.jpg)
Example Threat: Account and Session Hijacking
At the DFS provider (continued):Risk: unauthorized account takeoverVulnerability: Inadequate controls on dormant
accountsX.805 Security dimension: authenticationControls:C2: Require user identity validation for dormant DFS accounts users before
re-activating accounts.