Hack a Bank Scenario – what to look for before the attack –
Download Material
What to know about the Bank before trying to target its website?
Students Answers:
Infrastructure, What tech stack is used, System IP, Wifi Network Details, Authentication Mechanisms, Mail Services(Phishing), Domain access, Bank website URLs, Transaction Details, Card Details.
Coach Sai Narayanan Answers:
Port numbers on the target bank server –
Services on the ports –
Vulnerable service enumeration
Payload experiment on local first
Preparing a target payload
Scope Enumeration
List of domains.
List of sub domains
List of Url’s
Changing state – Url’s
Finding different URL’s based on environment – languages and tech (python, npm, .net)
Manual Attack vs Automated Attack -
Manual: Use tools like – Burp suite, Sql Map, Metasploit, Netcat, Wireshark etc.
Automated: Burp suite scanner, Rapid7 Metasploit, Servers SSH service to send payloads to the target server.
After successful attack what attacker does :
Data exfiltration
Card details
Pin numbers
Account details
Transaction details
Sell this data for 100’s of crores of money and later land up in jail for rest of hacker's life.
Tools Demonstration:
robtex.com - Robtex is used for various kinds of research of IP numbers, Domain names, etc. Robtex uses various sources to gather public information about IP numbers, domain names, host names, Autonomous systems, routes etc. It then indexes the data in a big database and provide free access to the data.
Demonstration on Google Domains, Name Servers.
Hosting Provider details.
Others:
Firewall Introduction.
One word – Internet.
Vulnerability.
Phishing.
Biometric.
Bug Bounty introduction and Facebook Bug Bounty program showcase.
Case Study:
High Level analysis of Hydro – Quebec attack and its significance.
Why Hackers chose Quebec itself?
Attack Dilution:
Is it on Serer ?
Is it at the application level ? - if yes, at what level of authorization penetration level.
Scope.
Pass scenario: How did the Hacker pass ?
Fail Scenario : At what point of security tech stack it failed ?
Securing a Bank website Detailed Notes below:
Securing a banking website is a complex process that involves multiple layers of security measures and constant vigilance. Here's a general outline of a step-by-step process that could be used to secure a banking website:
### Step 1: Risk Assessment
1. **Identify Assets**: List all assets including servers, databases, and applications.
2. **Vulnerability Assessment**: Identify vulnerabilities through automated scanning and manual testing.
3. **Threat Modeling**: Identify potential threats and evaluate the risk they pose.
4. **Risk Analysis**: Analyze the identified risks and prioritize them based on their potential impact.
### Step 2: Infrastructure Security
5. **Firewalls**: Set up firewalls to control the traffic between the external network and the banking network.
6. **Intrusion Detection Systems (IDS)**: Install IDS to monitor network traffic for suspicious activities.
7. **Secure Configuration**: Harden servers, databases, and other systems by disabling unnecessary services and securing configurations.
8. **Patch Management**: Regularly update systems with the latest security patches.
### Step 3: Application Security
9. **Secure Coding Practices**: Implement secure coding practices to prevent common vulnerabilities like SQL injection, XSS, and CSRF.
10. **Code Review**: Conduct regular code reviews to identify and fix vulnerabilities.
11. **Web Application Firewall (WAF)**: Implement a WAF to protect the web application from various attacks.
12. **Encryption**: Use encryption to protect sensitive data both in transit and at rest.
### Step 4: Authentication and Authorization
13. **Multi-factor Authentication (MFA)**: Implement MFA to enhance security during user authentication.
14. **Role-Based Access Control (RBAC)**: Use RBAC to restrict system access to authorized users.
15. **Session Management**: Implement secure session management practices to prevent session hijacking.
### Step 5: Monitoring and Incident Response
16. **Monitoring**: Continuously monitor the system and network for any suspicious activities.
17. **Incident Response Plan**: Develop and maintain an incident response plan to handle potential security incidents effectively.
18. **Security Audits and Assessments**: Regularly conduct security audits and assessments to evaluate the security posture of the banking website.
### Step 6: Training and Awareness
19. **Employee Training**: Conduct regular training programs to educate employees about the latest threats and safe security practices.
20. **Phishing Simulations**: Conduct phishing simulation exercises to educate employees on how to recognize and avoid phishing attempts.
### Step 7: Legal and Regulatory Compliance
21. **Data Privacy Laws**: Ensure compliance with data privacy laws and other relevant regulations.
22. **Documentation and Reporting**: Maintain documentation of all security measures and report compliance to relevant authorities.
### Step 8: Continuous Improvement
23. **Feedback Loop**: Establish a feedback loop with the security community to stay updated with the latest threats and security measures.
24. **Research and Development**: Invest in research and development to continually enhance the security of the banking website.
Implementing these steps would create a robust security posture for a banking website, protecting it against various cyber threats and vulnerabilities. It's essential to approach this process with a mindset of continuous improvement, adapting to the evolving threat landscape.
Comments