Embed Size (px)
Citation preview
FactR Mission
Our mission is to bring decentralized, immutable Blockchain
technologies to the logistics and freight industry, advancing
and enhancing supply chain transparency and enabling trusted
global freight, fleet and logistics transactions management.
By doing this, we will drive trust and automation in freight
logistics transactions, lowering operations costs and enabling
instant finance settlement.
Platform Overview
SIMPLE, SOPHISTOCATED
Our platform brings the best of Intelligent
Transportation Management solutions.
• Familiar Interface, Drilldown Analytics
• Easy to Use, Advanced Features
• Fast, Secure, Trusted with Blockchain
• Instant Payments, Lower Costs
Our automated, integrated technologies, simplify logistics processes; Working towards the world’s first AI, IoT & Blockchain
solution for freight and fleet management. We now are extending our solution with FactR, a Blockchain based digital wallet.
How it works:
FactR protocol integrated with our RoadLaunch (Hyperledger
permissions based smart contracts) platform will enable easy
transactions for freight carriers and shippers, with little to no change
management. The parties will need to use our digital wallet account.
FactR is based on the
Stellar network and
leverages Horizon for
settlement, audit, &
reconciliation
Security Details
With great respect to security, FactR not only follow world best
known cyber defense organizations but literary team members are
involved in development new standards like OWASP
PLATFORM, BLOCKCHAIN,
DIGITAL WALLET
• Distributed Ledger Trust
• Permission Smart Contracts
• Auditability & Provenance
• Instant Settlement
• Automation & Integration
Overview
FactR is a global logistic company, specializing in decentralized, immutable Blockchain technologies to the logistics and freight industry.
In This Information Security Policy (ISP) provides definitive information on the prescribed measures used to establish and enforce the IT
security program at FactR. FactR is committed to protecting its employees, partners, clients and FactR from damaging acts that are intentional
or unintentional.
Effective security is a team effort involving the participation and support of every FactR user who interacts with data and information systems.
Protecting company information and the systems that collect, process, and maintain this information is of critical importance. Consequently, the
security of information systems include controls and safeguards to offset possible threats, as well as controls to ensure accountability,
availability, integrity, and confidentiality of the data:
Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is restricted to
only authorized users and services.
Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected
manner.
Availability – Availability addresses ensuring timely and reliable access to and use of information.
Security measures taken to guard against unauthorized access to, alteration, disclosure or destruction of data and information systems.
This also includes against accidental loss or destruction.
Overview (Con’t)
The purpose of the Information Security Program (ISP) is to prescribe a comprehensive framework for:
Creating an Information Security Management System (ISMS)
Protecting the confidentiality, integrity, and availability of FactR data and information systems.
Protecting FactR, its employees, and its clients from illicit use of FactR information systems and data.
Ensuring the effectiveness of security controls over data and information systems that support FactR’s operations.
Recognizing the highly networked nature of the current computing environment and provide effective company-wide management and
oversight of those related Information Security risks.
Providing for development, review, and maintenance of minimum-security controls required to protect FactR’s data and information
systems.
The formation of the policies is driven by many factors, with the key factor being risk. These policies describe the rules and solutions under
which FactR operates and safeguards its data and information systems to both reduce risk and minimize the effect of potential incidents.
These policies, including their related standards, procedures, and guidelines, is supporting the management of information risks in daily
operations. The development of policies provides due care to ensure FactR users and client understand their day-today security
responsibilities and the threats that could affect the company.
Implementing consistent security controls across the company will help FactR comply with current and future legal obligations to ensure long
term due diligence in protecting the confidentiality, integrity and availability of FactR data.
Designed & Deployed for Protection
FactR is designed to protect your data:
Secure development lifecycle
24/7/365 monitoring systems
Security awareness training
Compliance with world best practices and standards
Platform
FactR as a logistic platform includes comprehensive security measures for all necessary aspects of the digital era. It uses the
most thought out security solutions that use a variety of best practice and IT security standards.
FactR platform conducts flexible penetration testing programs, which means that the entire development life cycle is tested
for vulnerabilities and newly discovered exploits.
As an IBM Certified Partner, FactR uses the best of IBM and comply with security standard, for example:
ISO 27017 / ISO 27018 / ISO 9001 / ISO 22301 / ISO 31000 / PCI DSS / HITRUST
FedRAMP
SOC 1, SOC 2 and SOC 3 - An SOC 1 report focuses on controls at the service organization that would be useful to user
entities and their auditors for planning a financial statement audit of the user entity and evaluating internal control over
financial reporting at the user entity. SOC 2 and SOC 3 reports are designed to allow service organizations to
communicate information about their system description in accordance with specific criteria related to availability, security
and confidentiality.
Global Regulations:
EU Model Clauses (FERPA)
HIPAA (ITAR)
And others
Monitoring & Access
MONITORING
FactR has an ability to proactively monitor and gain security intelligence across cloud deployments. Using security analytics,
FactR can find and respond to threats faster, dramatically accelerate investigation times and proactively manage compliance.
FactR uses not only IDS/IPS systems, but also internal monitoring systems, which allow detecting vulnerabilities that
accidentally appear or “hidden” services on any internal workstation.
As much as possible FactR automates processes and procedures to help Increase efficiency, maintain consistency and
repeatability, and reduce human error.
ACCESS CONTROL
FactR uses role-based access control methods that restrict privileged access to information resources based on the concept
of least privileges. Authorization to access requires direct management approval.
Only after the approval and authorization employee, client or contractor is allowed to access the secured environment.
Protection & Actions
PROTECTION
FactR cloud is designed to protect your data with the ability to encrypt data at rest and data in motion through storage and data services, as well as key management
services. State-of-the-art data encryption, personally identifiable information (PII) monitoring and a network security program combine to offer a comprehensive
solution for your data protection needs.
The FactR Fire The firewall is supported by the FactR Security Operations Centre (SOC) which provides 24/7/365 monitoring and response to all attacks. Some of the
features that the FactR Firewall includes:
Mitigation of Distributed Denial of Service (DDoS) Attacks
Prevention of Vulnerability Exploit Attempts (i.e., SQLi, XSS, RFI / LFI, etc…)
Protection Against the OWASP Top 10 (and more)
Access Control Attacks (i.e., Brute Force attempts)
Performance Optimization wall is Cloud-Based Web application Firewall with Intrusion Prevention System.
ACTIONS
Monthly device vulnerability scan performed internally
Monthly vulnerability and compliance scan performed by third parties
In-house penetration testing
Documentation, practices, and continuous employee education
Firewall change management procedures
Data classification and ownership
Incident management
BCP (Business Continuity Plan) & DRP (Disaster Recovery Plan
Security Management
Mandatory security awareness training and review for each employee
Strict least-privilege access practices throughout teams
Required non-disclosure & confidentiality agreements
Background checks and skills assessment
Active management in all aspects of the security community
Back Ups
FactR respects the data and creates daily (or when it is necessary for the client) fully encrypted backups using the latest advanced technology.
Private Keys
For the storage of private keys within the database, FactR encrypts before it stores private key using a crypto library. The key is passed through
an environment variable, which prevents a couple of extra scenarios from occurring. These include:
If a dump of the db occurred and an attacker got a hold of this, the keys within would still be encrypted, same goes for any other injection
attacks.
On the machine itself the code itself doesn't hold these keys, it would be passed on execution stopping the value from being parsed out from
the code base. This is not a be all end all solution, if the root user is on the machine they would be able to access this environment variable.
**NOTE: the current config (one db machine & one factr instance), the attacker would need root access to both for them to access sensitive
information.
Stellar Security
Stellar uses industry-standard public-key cryptography tools and techniques, which means that the code is well tested and well understood. All
transactions in the network are publicly available, which means that the flow of funds can always be checked. Each transaction is signed by
the person who sends it using the Ed25519 algorithm, which cryptographically proves that the sender was authorized to complete the
transaction.
In FactR we use Stellar Horizon for our payment solution. FactR checks all third parties soft to ensure security, and third parties' attitude to
secure their soft. In Stellar Horizon solution, we are confident about security for these reasons:
Soft is always Up to Date with latest security patches
Access to the Core is very limited and only necessary ports are open
Strong bug fixing history
Compromised key pair can be deleted and a new one created
Compliance with security regulations and checklists
Possibility to freeze account assets
FactR uses OAuth (Open Authorization) - the token authorization system that is the most secure API measure for today. The advantage of
token-based access is that it can be deleted at any time for any reason - a security breach, misuse or if user decides to no longer grant
access. Access tokens can also be used to restrict permissions, allowing the user to decide what the application should be able to do with their
information or account. The API will allow the client application to destroy tokens when requested.
For the full security lifecycle, FactR not only uses safe and secure development systems, but also conducts “all time” ongoing security testing
and scans:
FactR conducts security scans to run all API tests
At FactR, we create a special system that protects APIs by running standard scans designed to simulate standard hacking methods.
We create manual testing in order not to miss any details that may be caused by security breach.
We integrate API security with automation to ensure that APIs stay secure after every code change.
At FactR we use highly secure innovation – Blockchain technology. In Blockchain technology, each block contains information about the
previous block. This provides an authentication mechanism during the transaction. There is no third-party communication. Instead, a public
ledger will be used. All transactions should be automatically recorded in this ledger.
Ledger should record each transaction in a Blockchain. It’s immutable. Existing data cannot be edited or deleted. In Blockchain technology,
ledger is a decentralized application. Thus, no one can access the transaction or any sensitive data from the ledger. Information can be read
only from the ledger. At FactR Blockchain each block should contain a hash value. Its previous hash connects these blocks. So there is no way
to do it. Blockchain technology is a decentralized application. Mainly it will support peer-to-peer access. If someone from the Blockchain chain
does not agree with the transaction, then it cannot be completed. This will protect against transaction fraud.
API Security
Blockchain Security
Security Details (Table)
Why FactR can be considered secure, some examples of what we do (quick reference)
SSL/TLS Secure Development EncryptionVulnerability
Assessments
Security
Management
System
Anti-virus Pen TestingData
ClassificationEmployee Education
Security System
Control
24/7/365 monitoring Risk AssessmentBusiness
Continuity
Intrusion Detection
System
Physical Security
Sssessment
Security Training Access ControlDisaster
Recovery
Intrusion Prevention
SystemBlockchain Security
Involvement in OWASPNon-Disclusure
Agreements
Incident
Management
Security Operation
Centre
Information Security
Policy
BackupsInvolvements in Security
CommunityFirewall
Compliance with
Security Standards
Information Security
Advisors
