Products

What is Protective Monitoring?

Protective Monitoring is where IT systems are protected with monitoring arrangements that are able to alert administrators of any unauthorised access. Protective monitoring can range from the appointment of team supervisors to technically sophisticated protective monitoring systems. Commercially sold protective monitoring systems automatically detect unusual patterns of information being retrieved or proprietary information included in outgoing (external) E-mail messages.

Protective Monitoring devices are being increasingly relied upon more as viruses and spyware (malicious codes) are developed further. These devices are essential to prevent certain types of attacks as they work along side traditional security barriers, such as Firewalls and Anti-virus software, adding to the effectiveness of the existing countermeasures provided. Through by passing or defeating the countermeasures in place, the protective monitoring system is able to record the events of any attacks and provide evidence trails, allowing investigation into any attacks that are suspected.

Although Firewalls and Anti-virus software are effective, the use of a protective monitoring system can prevent any new malicious code from entering your network or can prevent outsiders from accessing and withdrawing data on the network.

Protecive Monitoring devices have been designed to protect against unauthorised:

• breaches of the network (computers linked to one area through internet)
• attempts to access information within a network
• exportation (withdrawal) of information from a network
• import (entry) of information on to the network
• breaches of integrity of information and services
• breaches in availability of information
• renunciation of action and responsibilities

D-007 (domestic):

The D-007 is a small protective monitoring computer appliance that plugs in to your internet broadband connection. This one device will not only save your computer from being cluttered by another piece of software, that may cause instability, but will monitor your whole home network, whether it is just one PC or even a home wireless network.

The D-007 has been specifically designed to analyse traffic on your network, detecting forms of unacceptable behaviour, such as exploiting personal data that leaves the network and prohibiting access by any means to undesirable content, whether it is copyright materials, violent or sexually explicit, and using behavioural algorithms that can detect possible grooming used by paedophiles.

The D-007 has been programmed to also alert authorised controllers about possible dangers such as children giving out personal information and can also notify when suspect “friends” start to home in on children. These alerts are sent to the authorised controllers by means of either E-mail messaging or through SMS text messaging.*

PM-012 (industrial):

The PM-012 runs the same way as the D-007 device works, however it has been more specifically designed for use in a business environment. The PM-012 has been programmed to monitor the usage of personal or sensitive data and prohibits this information from being accessed and withdrawn from outside the network or from being used undesirably by those inside the company network. The PM-012 monitors the usage of copyright materials and will prevent any data from these materials from being used outside of the network, enabling data to be kept more secure and prohibited from those who may try to gain this information.

As with the D-007, the device is able to notify the authorised controllers of any unwanted behaviour on the network, including that of indecent and explicit content and the removal of sensitive and corporate data. This device can be configured to block activities that are deemed to be unacceptable within the company, such as the use of FaceBook or Twitter, to which alerts will be sent to the authorised controllers when an attempt to participate in these activities occurs. These alerts are also sent through messaging via E-mail and SMS text* to the authorised controllers.

How Protective Monitoring Can Benefit You

Although Protective Monitoring could be implemented using software modules added to your computer, they can present significant problems to the machine and are vulnerable to the attacks from internal and external threats. This software can often clutter up PCs to the extent that the software in turn creates instability throughout the computer, causing your computer to crash or run inefficiently.

With the use of an attachable device, there is no need to have the software on a computer, allowing more stability to be kept, and also preventing the vulnerability caused by attacks from internal and external threats. Through having only one device installed on to computer networks, the protection of more than one PC can be increased and monitored, enabling the whole network, however large, to be safe from the risks of computer failure or attack. The Protective Monitoring devices are available for domestic and industrial usage, with an option to be connected with Tamper-proof connectors.

Please note that the D-007 and PM-012 are currently available only in English (UK). If any additional or alternate languages are required, please contact one of the consultants at Microexpert, where we will be happy to help.

How to Gain More Details and How to Order

For more information about the D-007 and PM-012 products, please contact one of our consultants via E-mail or Telephone on the contact details below:

E-mail: info@microexpert.com

Telephone: (+44) 1903 721 668

Alternatively, you can write to us at:

Microexpert Ltd

Suite 3, Anchor Springs,

Duke Street, Littlehampton,

West Sussex, BN17 6BP. ENGLAND.

* The SMS alerts are available as an optional choice by authorised controllers for a small annual fee. This fee currently stands at £29 per annum (including VAT), which covers the cost of the SMS messaging.

Services

Training

Microexpert provide comprehensive training courses for people new to the field or those wanting to obtain more in depth experience of Smart Cards and their applications.

Smart Card Foundation Course

Microexpert are running Smart Card foundation training courses for people new to the Smart Card industry and those who want to achieve a rapid knowledge of the commercial and technical issues surrounding the use of Smart Cards. The session will cover the role of Smart Cards in major application areas, such as the financial, government, telecoms and entertainment markets, and provides an overview of Smart Card applications. The training courses will be given over four sessions in a single day. The courses will also cover aspects of security and PKI technologies as they relate to Smart Card applications. No previous technical knowledge is necessary.

For the Smart Card Foundation Course Brochure (Download File pdf):
http://consult.microexpert.com/foundationtraining.pdf

ITSO Foundation Training Course

ITSO foundation training courses are designed to provide an overview of the use of Smart Cards within transport and will in particular refer to the ITSO specifications. The training course will be given over four sessions in a single day. Our ITSO foundation training course aims to show the advances in technology, which will make inter-operability of UK Smart Card schemes possible. The training course will cover the general background to contactless Smart Cards, the security requirements surrounding the use of Smart Cards in transport applications, the architecture necessary to achieve an interoperable transport scheme and give an overview of current Smart Card transport schemes throughout the world.

For the ITSO Foundation Course Brochure (Download File pdf):
http://consult.microexpert.com/ITSOtraining.pdf

Custom Training Courses

A tailored course in any of the following fields are also available

• Physical/Logical Access Control Systems
• Biometrics/ ID Cards
• Cryptography
• Public Key Infrastructure
• JavaCard
• MiFare

Training Testimonials

“It was without doubt the most comprehensive and interesting training, which I have attended. I even surprised myself in that, not only did I fulfil my objectives in obtaining a rounded business-oriented understanding of the Smart Cards, but I now have a thorough understanding (for me at any rate) of the technical issues involved.” R.B.

Technical Downloads

Smart Card Tutorial(Download File .pdf)

This tutorial is designed to help people new to the industry to acquire a good technical background to the controlling technology.
http://www.smartcard.co.uk/tutorials/sct-itsc.pdf

Ant JCOP JavaCard Build Set-Up, For compiling, loading and deleting JavaCard Applets

The solution contains all the files you need to build and load a JavaCard applet onto IBM JCOP Cards or emulators. You must first have the IBM JCOP tools installed (see

http://www.blogger.com/www.zurich.ibm.com/JavaCard

Unzip the archive and read README.TXT for full instructions.

Download v1.1 updated files now:
zip (http://consult.microexpert.com/jcop-ant-v1.1.zip)
or
tar (http://consult.microexpert.com/jcop-ant-v1.1.tar.gz)

Protective Monitoring

We all know about anti-virus and anti-malware software, who would dare operate their PC on the internet without such protection? Commercial and government organisations are also well briefed in keeping their software up to date by installing the latest patches and most home users have the auto-update software installed on their PCs.

The truth is that this cannot protect you from the real dangers of the internet. No matter how well designed the software on your computer, there will always be holes that can be exploited by a range of attackers from the insider, a disgruntled employee at work or even your spouse at home, to the highly qualified team of hackers employed by organised crime or Foreign Intelligence Services (FIS).

The University of Toronto has reported (March 2009) that a Chinese spying operation has obtained sensitive informaprove that the Chinese government was behind the attacks (dubbed ‘GhostNet’) but they did note that the topics of interest included activities by the Tibetan independence activists. Denied of course by the Chinese government tion from more than a thousand computers in over 100 countries. The University specialists were unable to but these forms of attacks are now becoming well known and cyber warfare is becoming a bigger feature in information security.

The damage done to an organisation through even unintentional data loss can be severe enough to break the organisation. In 2005 CardSystems Solutions lost 40 million debit and credit card account details which resulted in the company going bankrupt in 2007. A recent survey by Ipsos MORI discovered that over 50% of account holders in the UK (about 23 million) would move bank if their bank lost their personal account details. The affect on the offending bank is incalculable.

It is not technically possible to have a perfectly secure system, there will always be flaws in the software or the combination of the software and hardware platform that makes up your computer system. By Everett’s Principle we know that there are many attacks on computer systems that cannot be stopped, but they can always be detected. This is the primary objective of Protective Monitoring, to analyse the interactions with our computer system to detect when some unexplained or prohibited behaviour is taking place and to alert the authorised controllers accordingly.

The UK government is well versed in the requirements for Protective Monitoring, which is documented in CESG Infosec Memo 22. The application of such techniques is mandatory in many sensitive government information management systems.

Some organisations employ Intrusion Detection Systems (IDS) to detect attacks upon their system, but Protective Monitoring takes this further by looking for attacks by insiders who may use the information systems quite normally to steal confidential data, which is subsequently made available to external parties. Other employees may use the computing facilities made available by the company in order to undertake tasks that would be in breach of the company’s security policy, sex and violence in emails or web sites for example. Others may spend a disproportionate amount of their day interfacing with social web sites such as FaceBook or Twitter.

It is easy to forget that it is the user of computer systems that needs to be protected. Most people and particularly young children would be inexperienced or unaware of the dangers of the internet jungle. Phishing where users are mislead into giving away sensitive information to hacker sites purporting to be their financial institution is, for example, a major concern. Today these same organisations are moving to the internet as the main method of communicating with their customers and that can only cause greater confusion and vulnerability for their customers.

Children are a particular vulnerability when it comes to the internet and it’s not only the downloading of inappropriate material, there have been numerous reports of young persons uploading material of a sexual nature sometimes in which they are intimately involved. Then there is the grooming of young persons by paedophiles, a threat that is regrettably on the increase. Another area of concern is bullying which can be quite prevalent with young people including girls. We tend to think of it as a physical attack but some of the worst cases of bullying are actually caused by psychological damage and here the girls dominate, ‘if you talk to her again you won’t be my friend any more’

Protective Monitoring is usually undertaken by inserting one or more network monitoring device into your computer system. In the case of the home, it can be just one device that seamlessly connects between your broadband modem and your home network, be it one PC or even a home wireless network. This Protective Monitoring device analyses the traffic on your network to detect the forms of unacceptable behaviour we have discussed. In the event of such detection, the appliance can arrange for the authorised controller to be alerted by email or SMS text message and it can even be configured to block the unacceptable activity.

Although in principle you could implement Protective Monitoring by adding software modules to your computer, they would however present a significant performance penalty to your machine and would themselves be subject to attack by internal and external threats.

The Microexpert Team

Dr David Everett - Principal Consultant

David Everett graduated from Southampton University in 1976 and became Head of Electronics when he joined the Medical Research Council, Mill Hill, London. He was subsequently made Director of Computing and Electronics where his interest in coding theory and cryptography for the protection of data was stimulated. David founded Open Security Ltd in 1980, which was responsible for the design of tamper resistant cryptographic hardware modules that authenticated messages for CHAPS (Clearing Houses Automated Payment Scheme). He then went on to be a security consultant at EftPos UK from 1985 to 1990, where he was responsible for the security design of the first commercial product to use the RSA cryptographic algorithm. During 1990 to 2000, David worked as Technical Director at platform seven, a division of National Westminster Bank. David was the technical architect of Mondex, a concept for a Smart Card electronic purse and was also responsible for the design and development of a multi-application Smart Card operating system based on the use of a virtual machine in the IC chip known as Multos. David first proposed the use of a virtual machine for Smart Cards in 1985 whilst working on the ISO 7816 standard. He was awarded the IEE Ambrose Flemming award for the design of a Compton Effect gamma ray camera in 1978, and in 1984 the BCS Application Award for the design of a software protection system using enciphered code. David is currently the Technical Editor of Smart Card News Ltd. David is also a member of the CLAS (CESG Listed Advisor scheme).

Bill Reding - Smart Card Systems Consultant
Bill began his career at Barclays Bank in 1966, where he worked as a programmer on several major internal systems and customer-specific solutions. In 1976 he joined the Sema Group (then CAP, now SchlumbergerSema) as a consultant working on a wide range of tasks including feasibility studies, requirements analysis and design tasks, consultancy studies, project reviews, security reviews, systems and acceptance testing and project management. Clients during this period included American Express, APACS, Barclays Bank, DataCard, EftPos UK Ltd, Lloyds Bank, MasterCard, Mercantile Credit, Midland Bank (HSBC), Morgan Guaranty Trust, NatWest and Rank Xerox. Bill was also closely involved in the development of electronic purse projects (including Mondex) and the MULTOS operating system during this period. Bill joined DataCard in 2000 and has been an active participant in GlobalPlatform and other standards groups involved with the application of multi-application Smart Cards. He has conducted training to DataCard worldwide staff on Smart Cards, security and card management, as well as training external organisations. Bill left DataCard in 2002 and is now a Member of the British Computer Society and an Associate of the Chartered Institute of Bankers. Bill's areas of expertise are systems design and Multi-application Smart Cards.

Dr Keith Jackson - Smart Card Systems Consultant
Keith started his post doctoral career initially at Guys Hospital Medical School, London. He moved into data security when he joined Open Computer Security in Brighton to head the technical development for a range of products designed to provide the necessary security for inter bank financial payment systems, of which CHAPS (Clearing Houses Automated Payment Scheme) involved the secure transfer of billions of pounds on a daily basis. At Oceonics SPL, Keith was employed as Principal Consultant involved in the design, development, and manufacture of commercial encryption and authentication equipment. Keith was one of the consultants employed by EftPos UK, a company owned by the major UK banks, to implement a national EftPos scheme. The project was recognised for its innovative use of modern cryptography, including the first use of RSA in a commercial retail environment. In 1990, Keith joined the National Westminster Development Team, working on the Mondex electronic purse scheme, which used Smart Cards to implement a secure value transfer scheme. He developed the early demonstration system necessary to establish the core business case to the project sponsors. This involved working with the earliest Smart Card systems capable of implementing Public Key cryptography. Since those early days, Keith has been involved with many aspects of Smart Cards, including more modern multi-application Smart Cards. He is a prolific writer and has published numerous articles on fraud and security, including computer viruses. Keith has also co-authored several books on computer security, including “Computer Security Solutions”, “Information Services and Use”, “The PC security guide 1990/1991” and “IBM Systems Journal”, and was the sole author of a PC encryption book, “Secure Information Transfer- PC Encryption: A Practical Guide”, published in January 1990, and “Computer Security Reference Book”, published in January 1992.

Dr Susan Thompson - Senior Consultant
Susan has a PhD in Mathematics (Best Approximation in Normed Linear Spaces) and is an applied mathematician with over 18 years of experience in security and cryptography. She was with DataCard Consult P7 for 7 years, working on the design of cryptographic algorithms for projects such as Mondex and JavaCard. Previously, as Head of the System Security Group, Susan worked for Plessey Crypto on a number of technical assignments. She was also involved with the EftPos UK project, producing design specifications for security components and security procedures. More recently, Susan has been working with TNO TPD in signal and power analysis of Smart Cards, Biometrics and design methodologies for Smart Card evaluation, including Common Criteria.

Peter Hawkes - Senior Consultant
Peter has an impressive record of successful business development of new automatic identification technologies. These include Biometrics, Smart Cards and RFID tags. At BTG Plc, he was responsible for acquiring the invention rights in the Super tag RFID technology and then developing and exploiting it as the first true radio label system with very large scale applications.

The biometric projects began with the NPL's “Verisign” dynamic signature verification project of 1972. Following the successful licensing of this, Peter developed a licensing business for BTG in hand vein pattern biometrics. Later, he helped commercialise further signature biometrics from the University of Kent. The Kent software was the subject of the first public trial of biometrics in 1992.

Contact Us

If you have a project you need advice on or there are any queries or concerns you wish to highlight, please feel free to contact the team at Microexpert.

You can contact us via E-mail, Telephone, or by Post, where we shall get back to you as quickly as possible.

Write to us at:

Microexpert Ltd,

Suite 3, Anchor Springs,

Duke Street, Littlehampton,

West Sussex.

BN17 6BP.

ENGLAND.

Phone: (+44) 1903 721 668

Fax: (+44) 1903 734 318

E-mail: info@microexpert.com

Company Profile

Identity Management

Identity management is concerned with the life cycle of the identity of subjects and objects and, by default, being able to prove this identity as and when required.
There is nothing new about the concepts of identity management and arguably is the basis of a community of which these entities are members.

Each entry must have a reference characteristic that is unique within the community to which they belong. It could be anything from a simple name to an 80 digit number, which would be enough to identify every atom in the universe.

Originally, individuals only ever existed in their own environmental community, a tribe of perhaps 100 people, where everyone knew everybody else. Over time this has expanded to the use of intermediaries for vouching identity, an employer or a banker's reference for example. Of course in some cases, this identity has to be established from scratch, when you move area for example.

But in all cases what is clear is that the identity only makes sense in terms of the relationship between two entities. The only difference is about how quickly you establish the trust that underlies a relationship. In the electronic world, these concepts have morphed into two approaches;

1. The eBay model, where you start from scratch and build up a reputation (under your eBay ID) that both parties (buyer and seller) to a relationship can freely observe.
2. The reference model, where some third party vouches for your identity. We tend immediately to think of Certification Authorities and digital Certificates but in actual fact our credit card is a form of reference ID. The bank takes on the role of vouching for our identity in a totally foreign community and providing the necessary (in this case) commitment to pay.

Payment Systems
Microexpert's consultants have been at the forefront of payment systems from Automated Clearing Houses (ACH) to low value cashless payments using contactless Smart Cards. In the Smart Card arena EMV (Chip and PIN) have dominated in recent years, but now we have seen enormous growth in contactless payments and numerous projects piloting Near Field Communications (NFC). We can work with you in all these areas.

Trusted Transactions
Trusted transactions rely on an end to end relationship between the participants. In the network world, these relationships are established over remote link that may involve many routers but from a security point of view, the transactions must be protected across the two end points generally assuming all intermediate points and links to be insecure.

The transaction will require some combination of security services:

• Confidentiality
• Data integrity
• Entity authentication
• Non-repudiation

These combinations are normally provided using cryptographic mechanisms. The user cannot create such techniques without the use of some cryptographic tokens, so it is additionally required to be able to bind the user to the tokens using password or biometrics.

The scheme must provide adequate assurance for:

• Tamper Resistant Node Properties
• Strength of Protocols and Mechanisms
• Node Processing Integrity
• Node Identification
• User Binding (e.g. passwords or biometrics)

These properties are difficult to achieve in practice and we will be pleased to advise you on the best path for your particular requirements.

Secure Access Control
Access control is concerned with only allowing access to resources by authorised entities, which may be people or computer processes.

The resources may be physical, such as buildings and car parks, or logical, such as network access to a local or remote server.

Smart Cards in both contact and contactless mode may be used to secure control such physical and logical access. In essence, the Smart Card acts as an authentication token that can be bound to the user by (for example) passwords or biometrics. This provides what is commonly referred to as a 2-Factor authentication, the Smart Card token and the password. A cryptographic infrastructure, both secret key and public key, can provide the necessary level of assurance when combined with a suitable Smart Card chip.

Anti-Counterfeiting
Anti-counterfeiting is all about embedding a security object in the device to be protected. Traditional objects (e.g. holograms) can be visually checked while electronic devices such as contactless RFID tags are capable of machine interrogation.

The properties of the object are that;

• It cannot be reproduced by an attacker
• It cannot be transferred (i.e. from one device to another) by an unauthorised person
• It's authenticity can be proved
  

Integrated circuit chips in various form factors can provide a whole range of solutions with varying security levels. Please contact us to discuss your requirements.

IPR Management
Sometimes products fail to meet expectations, on other occasions, issues arise surrounding the Intellectual Property Rights (IPR) of your product or a competing product. Microexpert can help you here, by analysing the relevant product and determining the cause of the problems or the rights of the parties involved.

We have specialists in all aspects of Smart Cards and cryptographic security. Microexpert can also provide Expert Witnesses for legal proceedings.

Clients
Below is a list of clients that Microexpert's consultants have been involved with, including how they participated in our clients' projects:

• CHAPS (Clearing Houses Automated Payment Scheme, UK – Design and development of the cryptographic authentication modules used to protect the inter-bank financial messages. Today CHAPS passes over £100 billion pounds per day


• Eurocheque Security Architecture – Design of cryptographic modules for protecting financial transactions


• EftPos UK Security Design – Design of the security architecture for a national electronic point of sale scheme, which was the first commercial implementation of the RSA public key cryptographic system


• Mondex – Design of the first totally transferable electronic purse system using an off-line secure Smart Card protocol


• Multos – Design architecture of the first open platform virtual machine multi-application operating system for Smart Cards


• AMEX – Development of a multi-platform Smart Card management system. The scheme can handle both Multos and JavaCard platforms


• DataCard – Smart Card log-on and authentication system for Novel Network systems

About Us

Microexpert is a part of the Smart Card Group of companies' and was formed as a security consultancy over 20 years ago in 1983. We have been active in the Digital Security arena for the last 15 years and continue to advise clients on using secure integrated circuits in the form of Smart Cards, Crypto Tokens and RFID Tags for a variety of business applications, ranging from transport tickets to payment cards and satellite condition access cards.

When it comes to developing new products, we are very aware of the potential problems facing industry. Project teams within Business Development often find that they are able to see far beyond the capability of their in-house IT department, which are already loaded with existing projects. Microexpert helps these project teams to remove the pressure of the situation.

Our consultants here at Microexpert have been involved in many national and international Digital Security projects, including the designing and production of the Mondex electronic purse scheme and being actively involved in the development of smart card management systems, one of which was developed by DataCard and brought by American Express. The most well known of the lightweight card management systems, was developed by the team at Microexpert., is the 'Rosco', which was designed for remote control of Smart Card applications and platforms.

Among the management systems developed in the projects aided and commissioned by Microexpert, we have also been using modern Public Key cryptographic systems to implement a security system for citizen cards. With identity and authentication being a core part of the Microexpert design infrastructure, the security designs implemented have been based around the use of the JavaCard, which effectively invokes a remote security session with the individual citizens cards. One implementation of the citizen card security system has been enforced by Aberdeen county council through their Accord Card.

At present, we have been expanding our key areas to include Protective Monitoring. With very little quantities of products available both industrially and domestically, we have opened a project to boost network and internet security through the protection and monitoring of private data leaving nodes (clients and servers).

With more and more exposure to data vulnerability and loss, Microexpert are currently developing Protective Monitoring devices, rather than software (as software can bloat and cause instability on computers), that can actively monitor internet traffic, blocking private data from leaving the home. The Protective Monitoring devices will also be capable of using analysis logs to identify the coercion of paedophiles and other internet nasties, that may be trying to access and gain personal and sensitive data from networks.

What can our consultants do for you?

The consultants at Microexpert are highly skilled in a wide range of key areas. These have included:

• Smart Cards and Tokens, including the specialism of multi-application Smart Cards,

• Chip and Pin (EMV) and payment systems

• Biometrics/ Identity and Authentication

• Cryptography

• Public Key Infrastructures

• Satellite Conditional Access Schemes

• Protocol Design and Analysis

• Software Design and Development

• Network and Internet Security

• ITSEC and Common Criteria security evaluation and certification