Financial Cyber-Threat Briefing

“Planning for Attack-Resilient Web Applications”

11th July 2014 - Level 39, One Canada Square, Canary Wharf, London, United Kingdom
REGISTRATIONS ARE OFFICIALLY CLOSED: If you have any queries or requests please contact LiquidNexxus  

 

Hosted by

Summary

Financial Cyber-Threat Briefing will present:  

  • an overview of the most common and latest attack vectors affecting online banking and other financial online services; 
  • strategies and methodologies for addressing growing risks in this domain; 
  • and demonstrate some of latest untraceable exploits as well as solutions to stop them.
 

Useful Information

According to Verizon 2014 Data Breach Investigation Report Zeus continues to be a favourite way to make a buck with crime-ware in 2013. Zeus and its offspring, Citadel, primarily focus on stealing money via bank account takeovers, though they can also be used for other functions.

According to ENISA Threat Landscape 2013 report web based attacks are predominant with respect to other cyber threats, cybercriminals use malicious URLs as the primary vector to serve malware meanwhile Java is the most exploited application.

EY’s 13th Global Fraud Survey of over 2,700 executives across 59 countries highlights that while respondents believe emerging risks are not being taken seriously enough, nearly half of them consider cybercrime a low risk.

PWC’s latest CyberSecurity technical report (link) highlights the average cost of the worst breach of the year appears to have significantly increased, to £35,000 - £65,000 for small businesses and £450,000-£750,000 for large organisations

In not-so-shocking news, Zeus continues to be a favourite way to make a buck with crimeware in 2013. Zeus and its offspring, Citadel, primarily focus on stealing money via bank account takeovers, though they can also be used for other functions.

 

 

Agenda

Agenda Timing

14.30 to 15:00 Registration and welcome
15.00 to 16:15 Keynote Presentations
16:15 to 16:30 Networking Break
16:30 to 17:15 Live Demos
17:15 to 18.00 Networking Drinks Reception

Agenda Outline


Emerging Cyber-Threats Targeting Financial Institutions

This presentation will share research carried out on the root causes of security incidents caused by attacks from emerging threats such as malware banking. The session will provide practical examples of instances of compromises causes by various threat agents and provide an in depth analysis of methods and attacks vectors employed against online banking applications. The scope of this analysis will be to analyse the threats, simulate attacks and identify flaws in application architecture that can be prioritised for remediation. To simulate the attack, modelling techniques such as the attack kill chain and attack trees will be shown. The goal of this session is to provide information security officer’s examples of processes, methodologies and risk frameworks that can be used to identify countermeasures to mitigate emerging threats.

Speaker: Marco Morana, SVP Technology Risks & Controls, Citi


Cyber Crime: extending an already loose perimeter

"EY’s 13th Global Fraud Survey (http://www.ey.com/GL/en/Newsroom/News-releases/news-pervasive-global-corruption-leaves-boards-struggling-to-cope) of over 2,700 executives across 59 countries highlights that while respondents believe emerging risks are not being taken seriously enough, nearly half of them consider cybercrime a low risk."With cybercrime expanding its reach and reaching new hights, companies struggle with the basics, from supporting cybercrime initiatives to failing to understand what to protect from whom.  We'll go through a brief panorama of the issues and point some useful directions to follow.

Speaker: Massimo Cotrozzi, Assistant Director - Fraud Investigation & Dispute Services Practice, Ernst & Young.


Overview of Online Banking Malware & Countermeasures

This session will present how attackers currently identify and exploit web vulnerabilities on financial institution websites to stealing credentials. Giorgio will also demonstrate how compromised customer PC’s can compromise online transaction platforms an overview of the technology being used for prevention. Finally Giorgio will present a new technology “AMT Banking Malware Detector” that allows banks to identify users infected with malware before they become victims of fraud.

Speaker: Giorgio Fedon, COO, Minded Security & OWASP Lead.


Preventing In-Browser Malicious Code Execution

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.

Speaker: Stefano Di Paola. CTO, Minded Security & OWASP Project Lead

Speakers


100px-Morana.png.jpegMarco Morana, SVP Technology Risks & Controls, Citi

Marco Morana serves the OWASP organization as project lead and member OWASP London chapter. In his current professional role, Marco is SVP at Citigroup in London, U.K. where he is responsible of managing information security governance, risk and compliance of architectural significant programs globally. Marco contributions to OWASP include the application threat modelling methodology of the OWASP secure coding guide the introduction to the security testing methodology and the OWASP security testing guide. As project leader, Marco is the primary author of the OWASP Application Security Guide for CISOs. As project reviewer, Marco contributed to review the OWASP Source Code Review Project and OWASP Security Analysis of Core J2EE Design Patterns Project. Marco has presented on the topic of software and application security at several local chapter meetings and OWASP organized conferences in USA and Italy as well as at CSI and Blackhat security conferences. Marco's work on application and software security has been published on In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journals well as DHS Software Security Assurance and is currently co-authoring a book on Application Threat Modelling. Marco is also mentor for security start ups hosted at the level 39 incubator in London and is member of the technical board of advisers of the security start up company Nok Nok Labs Inc.


massimo-cotrozzi-2.pngMassimo Cotrozzi, Assistant Director - Fraud Investigation & Dispute Services Practice, Ernst & Young

Massimo is an Assistant Director in the Fraud Investigation & Dispute Services practice, focusing on cybercrime, data breach investigations, network Intrusion, incident response and computer and network forensics.
Massimo has extensive experience in supporting Corporations as well as Law Enforcement, Military Intelligence and Defence. He has been active in protecting from Cyber attacks and Digital Frauds and has performed a number of forensics activities and expert witness testimonies for entities in all sectors, including many FTSE 100 businesses and governmental organisations and agencies.


Giorgio_Fedon.jpgGiorgio Fedon, COO & Co-Founder, Minded Security

Giorgio Fedon is the COO and a co-founder of Minded Security, where he is responsible for running daily operations of the company and managing Professional Services. Prior to founding Minded Security, Giorgio was a senior penetration tester and code auditor. As a long-time experienced penetration tester he has solid system and application security knowledge. He is also specialized in finding and exploiting new vulnerabilities in prominent software and this is both for passion and to stay ahead of the new threats and exploitation techniques before are found and disclosed publicly.  He participated as speaker in many international events talking mainly about web security and malware obfuscation techniques.


stefano_dipaola.jpgStefano Di Paola, CTO & Co-Founder, Minded Security

Stefano Di Paola is the CTO and co-founder of Minded Security, where he is Head of Research and Development Lab. In the last 7 years Stefano presented several cutting edge research topics, such as DOM based XSS runtime taint analysis, Expression Language Injection, Http Parameter Pollution, ActionScript Security that lead him to be in the  Top Ten Web Hacking Techniques initiative for 5 consecutive years (2007-2011). He also published several security advisories and open source security tools such as SWFIntruder, DOMinator and contributed to the OWASP testing guide. Stefano is Research & Development Director of OWASP Italian Chapter.

Venue

LEVEL 39. One Canada Square
Canary Wharf, London E14 5AB
SANDBOX 2 & 3, “SPACE 39”

Level 39 is Europe’s largest technology accelerator space for finance, retail and future cities technology companies. Occupying the entire 39th floor of the iconic One Canada Square building, and established by Canary Wharf Group plc, Level39 was opened on 18th March 2013 by Boris Johnson, Mayor of London, and has quickly become an important part of Tech City- having hosted over 100 events, including hackathons, skunkworks and demo-days. Members at the Canary Wharf incubator network with experienced entrepreneurs, technology investors, and industry experts in order to accelerate their traction and access to markets.

WebsizeLevel39-2.png

Level39 is a space for early-stage businesses that have potential for high-growth. Members are looking to create, test, market and deliver scalable world-class financial, retail and future cities technology products and services.

http://www.level39.co/

WebsizeLevel39.png

Registration

Registrations are CLOSED. 

For further enquiries please contact us.

Head Office:

Barkat House, 116-118 Finchley Road
London NW3 5HT
United Kingdom 


Enquiries:

Email: info@liquidnexxus.com

​London: +44 20 3322 9095
Paris: +33 9 707 30003
Johannesburg: +27 8 7550 4648
Sao Paulo: +55 313 95 60606
Mexico City: +52 8141 707 161
 
 
courses

Courses

View our full course portfolio from payment business to operational risk.

.
courses

Upcoming Events

Attend an open session in your region via our regularly updated external schedule.

.
courses

eLearning

Pick and mix the courses which fit your individual and organisational needs.

.
courses

Contact Us

Interested in In-House training? Do you have any other enquiries? Get in touch!

.