MFID Whitepaper

Information Security at its best

Phone Numbers - +91-11-27476211-10, 47065866

Regd. Office – A-2/ 24, Shakti Nagar Ext; Delhi – 110052, India

Multifactor authentication and access to IT Infrastructure

By

INNEFU Labs Pvt. Ltd


Phone Numbers - +91-11-27476211-10, 47065866


Table of Contents

1. About Us................................................................................................................................................ 3

1.1 Credentials .................................................................................................................................... 4

1.2 Some of our Law enforcement clients ................................................................................................ 4

1.3 Corporate and PSU ........................................................................................................................ 4

1.4 Headquarters ................................................................................................................................ 5

2. Problem ............................................................................................................................................. 6

2.1.1 Internal dangers ........................................................................................................................... 8

2.1.2 External threats ............................................................................................................................ 8

2.1.3 Attractive targets ......................................................................................................................... 8

3. MFID – Multifactor Authentication ....................................................................................................... 9

3.1 Architecture ...................................................................................................................................... 10

3.2 Process .............................................................................................................................................. 13

4. Applications ......................................................................................................................................... 15

4.2 Intranet Applications / Other web enabled applications.................................................................. 15

4.3 Email Servers / Database Servers ..................................................................................................... 16

5. Features .............................................................................................................................................. 17

6. Advantages .......................................................................................................................................... 18


Phone Numbers - +91-11-27476211-10, 47065866


1. About Us

The world today revolves around information. Information today is the energy that plays a critical

role in our personal lives and drives our businesses. As we move further into this digital age, it has

become imperative to not just protect our information from outsiders but to also draw intelligence

from the vast amount information available to us.

Internet is the new playground for unwanted elements of society intent on committing terrorist or

espionage activities, financial frauds or identity thefts. Keeping this in mind, it has become

imperative to not only prevent these acts but also be in a position to intercept, monitor and block

Internet communication to draw intelligence out of them.

INNEFU is a research oriented Information Security consulting group specializing in meeting the

Information Security needs of the consumer via specialized products and services. We believe in

innovating and creating the latest technologies to combat the rapidly growing menace of hacking

and reduce dependency on human factors. We offer a complete gamut of Information Security

services under one roof which includes our patented products like 99% Secure - Cyber Cafe

Surveillance, Tactical Internet Interception, Multi Factor Authentication, Link analysis and Pattern

Matching and services like complete corporate security process management, web application

security and managed security services.

INNEFU specialization is Intelligence Gathering to prevent and investigate internet crimes. Our

patented products including Tactical Internet interception and E-Mail Tracking System have already

been used by Law Enforcement Agencies to investigate hacking attacks, gather intelligence, while

our Multifactor authentication (MFID) sytem integrated with Risk based Transaction Algorithm

ensures secure and failsafe online / credit card transactions by creating a dynamic password

everytime the user wishes to log in.

INNEFU’s clients include several Law Enforcement Agencies like NIA, NTRO, Jammu Police,

Ministry of Defense, Ministry of Home Affairs etc. We serve diverse industry verticals and the

prominent amongst them are BFSI, BPOs/KPOs, E-commerce, IT/ITES, Education, Telecom etc.

We follow a “Chinese Wall Policy” to ensure that clients’ identity and data are absolutely

confidential and accessed only by the onsite consultant and the project manager.


Phone Numbers - +91-11-27476211-10, 47065866


1.1 Credentials

Board of advisor consists of ex Army Officers and professionals from organizations

including Microsoft, Infosys, Dell, CISCO etc.

Tie ups with multiple academic institutions for R & D

R & D team consists of alumni of IIT Delhi, IIT Mumbai, IIT Kanpur

More than 5000 hrs in the field of Information Security consulting

The team has prior experience of working with organizations including Microsoft, Infosys,

Dell etc

1.2 Some of our Law enforcement clients

Ministry of Home Affairs

Ministry of Defense

Multiple state police departments including Delhi Police, J&K Police, Punjab Police etc

Economic offense wing

NTRO

1.3 Corporate and PSU

Bharat Electronics Ltd.

Central Bank of India

Intelliware Technologies

Dena Bank

Greater Mumbai Bank

And counting many more …….


Phone Numbers - +91-11-27476211-10, 47065866


1.4 Headquarters

AG -22, 2nd Floor,

Shalimar Bagh

Inner Ring Road,

New Delhi - 110088

A-2/24, Shakti Nagar Ext,

Delhi -110052, India

Phone - +91-11-47065866, 9313050131


Phone Numbers - +91-11-27476211-10, 47065866


2. Problem

“78% of all information security breaches are conducted by internal employees – CERT In statistics”

Organizations have established policies and architecture to enhance the

information security in their organization. They use policies and tools

such as anti-virus, firewalls, Unified threat management and multiple

security policies.

However, the architecture is more suited to perimeter security and

incapable of handling insider threats whereas organizations today can no longer afford to ignore

Information threats from within

“Internal fraud made up more than a quarter of the £1.19bn of fraud losses recorded in cases brought before UK courts in 2008”


Phone Numbers - +91-11-27476211-10, 47065866


Fig.1 Probable IT Architecture of an organization


Phone Numbers - +91-11-27476211-10, 47065866


2.1.1 Internal dangers

Unlike external information threats, internal information breaches are multidimensional. The threats

vary from misuse of official email, copying confidential data or inserting backdoors into critical

applications. More importantly, these threats come from the most trustworthy of sources –

organization’s internal employees.

More than half of all this damage to information systems comes from authorized personnel who are

either untrained or incompetent. A fifth of the damage comes from dishonest and disgruntled

employees. An information breach by authorized personnel either intentionally or accidentally, can

cause irreparable damage to an organization.

2.1.2 External threats

The growth of Internet connectivity is drastically increasing the threat to information systems.

Today most systems are opened to access via TCP/IP connections from the wider Internet. Many

organizations also link their systems tightly with those of trading partners using virtual private

networks (VPNs) that increase the number of people allowed to access the systems.

In such a scenario, it is imperative for an organization to monitor the flow of Internet traffic both in

and out of the organization to monitor for websites visited, emails, chats, file transfers, videos,

audios etc.

2.1.3 Attractive targets

Most organizations are becoming the favorite targets of an amateur trying to hone his skills or a

skilled criminal trying to get sensitive information out of the organization. The aim is either to

embarrass the organization or sell the data to a competitor thereby making money out of it.


Phone Numbers - +91-11-27476211-10, 47065866


3. MFID – Multifactor Authentication

MFID or multifactor Identity Authentication is a system where a second factor of authentication

apart from the user name and password is required to authenticate the user and provide him access

to critical resources of the bank.

MFID authenticates and verifies the user based on –

User id and Password

A second factor of authentication which includes a registered mobile number and passkey

generator

The One time password is generated using a combination of multiple unbreakable encryption

algorithms. The algorithm generates an unbreakable one-time password every time the user logs

onto a DMZ (De militarized zone) as specified by the IT architecture. The algorithm is similar to

the one implemented by US Military Intelligence while providing access to their critical application.


Phone Numbers - +91-11-27476211-10, 47065866


3.1 Architecture

Fig.2 Authentication using Hard Token


Phone Numbers - +91-11-27476211-10, 47065866


Normal authentication process

If user is not authenticated Client enters ID & Pwd

If correct, authenticates and redirects to website

Client Web Application/DB

Servers/Wi-Fi/VPN login page

Verification of ID

& Pwd

Data base

containing

user

information

Your application or website


Phone Numbers - +91-11-27476211-10, 47065866


Authentication using Hard token

If user is not authenticated Client enters the ID & Password

If user is authenticated

Redir

If not authenticated User submits OTP.

If correct, authenticates and redirects to

protected content

Client Web Application/DB

Servers/Wi-Fi/VPN login page

OTP verification page

Verification of ID

& Pwd Data base

containing

user

information

verification

Your application or website

Hard Token

Generator


Phone Numbers - +91-11-27476211-10, 47065866


3.2 Process

Radius server will be used to –

o Authenticate the user

o Provide access to the user

The radius server will be integrated with AAA server for authentication of user using One

Time Password

Once the user is authenticated, the user request will be sent to the LDAP server

LDAP server will be used to provide authorization to the user

All applications will be integrated via LDAP

Multiple domains / virtual LAN’s will be created with users allowed access to other domains

based on authentication requests which will be forwarded to their own domains

Citrix / Juniper VPN will be installed on specific machines to allow clients to work from

home (if required)


Phone Numbers - +91-11-27476211-10, 47065866


Domain 1Domain 2

Radius Server Radius Server

1. Web Applications2. Intranet Applications3. Email Servers4. VPN5. Database Servers6. Employee Attendance7. WiFi / LAN Network

Desktops / Laptops will log onto Web based VPN

AAA Server

AAA Server

LDAP Server

Fig.3 Architecture for Secure Single Sign On


Phone Numbers - +91-11-27476211-10, 47065866


4. Applications

The following applications will be integrated within this architecture –

4.1 Remote Access / Virtual Private Network (VPN)

Salespeople, care workers, engineers and traveling executives need secure access to the corporate

network while ‘on the road’. These users demand the most flexible range of access methods

including the following.

• VPN over wireless, whenever their laptop can connect to a WiFi hotspot

• VPN over a broadband connection from a laptop when at home

• Web access to email and other Web-enabled applications from an Internet café or other

insecure PC

These users must be able to use a single set of secure authentication credentials at all of the access

points that the enterprise has enabled.

4.2 Intranet Applications / Other web enabled applications

Specific individuals need to be granted deep and broad access to core business systems, typically

through Web portals. They need to be securely authenticated; it is no longer sufficient to rely on just

the IP address of the remote network to validate identity.

These individuals may be logging in from any Web-enabled system: a corporate desktop or home

PC, for example. And so, there should be no requirement for two factor authentication of the client


Phone Numbers - +91-11-27476211-10, 47065866


4.3 Email Servers / Database Servers

Social engineering and Phishing attacks are used by hackers rampantly to hack into user accounts

passwords. The non aware users fall prey to these attacks and end up passing their passwords to

hackers, colleagues or other users.

Information inside users mails or database servers can cause immense harm to the organization, and

as a result has to be protected. With two factor authentication, it becomes impossible for the hacker

or a user to impersonate another’s credentials. This provides unbreakable security to the

organization from phishing, social engineering or other hacking attacks


Phone Numbers - +91-11-27476211-10, 47065866


5. Features

o Single Sign on access – The user will only have to authenticate himself once to be

allowed secure access to all applications authorized to him including mails, intranet

applications etc

o Dual authentication based on One Time password – This will ensure that the

user and the organization is hundred percent protected from identity theft

o Authorization to access limited applications – The user will only be allowed

access to limited applications. Only authorized viewers will be allowed access to

critical IT Network

o Allowing employees work from home options in a secure and modulated

environment – Virtual Private Network will be installed for all users to allow work

from Home policy which may be implemented by any organisation

o Platform Independent Authentication Mechanism

o Security from Identity theft – A dynamic One Time Password will ensure that the

organization is safe from bouts of phishing attacks


Phone Numbers - +91-11-27476211-10, 47065866


6. Advantages

Your user gets:

Easy access to resources

No extra codes to remember.

Use whatever mobile phone, device they wish.

Works worldwide

Your IT staff gets:

Zero user administration.

100% integration with Microsoft AD.

Integrate with firewalls through RADIUS.

Seamless Integration with current setup

100% control of 'who can access my system'.

No deployment of devices or software to users.

Works world-wide.

Your CIO gets:

Simple price setup

Test for free before investing

Less user administration

Better use of the IT systems you all ready have

You know who can access your system - and when!

Easy Logs maintenance for future analysis

Documents

MFID Whitepaper