Smart Card Reader Security
This training exposes participants with the relevant skills and knowledge in fundamentals of smart card and its devices, based on the smart card devices ecosystem. Participants will learn the skill and knowledge in smart card security, smart card devices security (reader, Software Development Kit (SDK), applications, etc.) and the fundamentals in cybersecurity (understanding the 3 pillars of IT security: Confidentiality, Integrity and Availability.
Participants will be able to understand the operations of smart card reader in forms of its components: hardware, firmware, Application Protocol Interface (API), biometric sensor, SDK, and applications. Participants will be exposed with the knowledge in performing IT security assessment using the methodology of Common Criteria, with reference to Common Evaluation Method (CEM).
This training will also include the knowledge in performing vulnerability assessment and penetration testing inclusive of reverse engineering applications and memory forensic. Participants will be able to produce technical report that highlights the test findings based on risk defined on the vulnerability found during the IT security testing. Lastly, participants will be able to provide recommendations and improvement based in the findings defined inside the test report.
To provide the fundamentals knowledge in smart card reader security testing in the form of theoretical and hands-on exercises.
Individual may have background as smart card developer, hardware programmers, IT security officers, security testers and anyone is concerned about smart card reader security.
Module 1: Fundamental of Smart Card Reader
Topic 1.1: Introduction to Smart Card Reader
Summary: This topic will be covering the fundamental of smart card reader where the introduction to the main components (software and hardware) and the physical properties of smart card reader. The following is the sub-topics will be covered in the training module, as follows.
- Theory on Smart Card Reader:
- Definition of SCR.
- Type of SCR.
- SCR Mode Operation.
- SCR Architecture.
- Physical Device Properties:
- Device Specification.
- Hardware Components.
- Printed Circuit Board (PCB).
- Exercise 1 – Quiz and/or Hands on activity.
Summary: This topic will be discussing about the communication between smart card and the reader. This topic will highlight all the communication details of both components to give the description of SCR working architecture. The following is the sub-topics will be covered in the training module, as follows.
- Introduction to Smart Card Reader Communication:
- Answer to Reset (ATR) protocol.
- Personal Computer and Smart Card (PC/SC) protocol.
- Smart Card and Reader Communication Method:
- Communication Protocols.
- Communication Application Protocol Data Unit (APDU).
- Exercise 2 – Quiz and/or Hands on activity.
Topic 2.1: IT Security Principles
Summary: This topic be covering all the fundamentals of IT security principles which are very important for IT security environment or ecosystem. The following is the sub-topics will be covered in the training module, as follows.
- Introduction to Security Principles:
- Security Definition.
- Security Pillars.
- Security Elements.
- Exercise 3 – Quiz and/or Hands on activity.
Summary: This topic be covering on the threats and security controls for smart card security environment and smart card reader ecosystem. The following is the sub-topics will be covered in the training module, as follows.
- Overview of Security Threats and Security Controls:
- Security Threats.
- Threats Attackers.
- Security Flaws.
- Security Controls.
- Model of Security Controls.
- NIST Framework for Security Controls.
- Smart Card Reader Security Threats and Security Controls:
- Smart Card Reader Threats.
- Security Controls to Smart Card Reader Threats.
Summary: This topic be covering the security evaluations approach and process flow that are applicable for a smart card reader. All the theory and general framework of security evaluation will be discussed. The following is the sub-topics will be covered in the training module, as follows.
- Introduction to Security Evaluations:
- Overview of Security Evaluation.
- Goal of Security Evaluation.
- Objective of Security Evaluation.
- Target and Purpose.
- Method of Security Evaluation.
- Structure of Security Evaluation Criteria.
- Types of Security Evaluation.
- Organizational Framework.
- Cost and Benefits.
- Security Evaluation Frameworks:
- Federal Information Processing Standards (FIPS 140).
- Payment Card Industry Data Security Standard (PCI-DSS).
- Common Criteria Evaluation and Certification (CC).
- Exercise 4 – Quiz and/or Hands on activity.
Summary: This topic be covering the current security evaluation by CyberSecurity Malaysia. The following is the sub-topics will be covered in the training module, as follows.
- Common Criteria Evaluation & Certification (MyCC).
- ICT Product Security Assessment (IPSA).
- Technology Security Assurance (TSA).
Topic 3.1: Introduction to Security Testing
Summary: This topic be covering on the overview of security testing based on method, approach, tools, and techniques used during the test execution. The following is the sub-topics will be covered in the training module, as follows.
- Overview of Security Testing:
- Definition of Security Testing.
- Goal of Security Testing.
- Types of Security Testing.
- Knowledge in Security Testing.
- Approach of Security Testing.
Summary: This topic will allow participant to perform hands-on exercises and participate in performing the test by using the knowledge learned during the training on an actual smart card reader device. The following is the sub-topics will be covered in the training module, as follows.
- Physical Tampering.
- Communication Sniffing.
Ts. Ahmad Dahari Bin Jarno
Malaysian Security Evaluation Facility (MYSEF)
Ahmad Dahari Bin Jarno, proudly holds cybersecurity professional certifications and experienced wisely in Common Criteria Evaluation & Certification and cybersecurity penetration testing more than 10 years. Graduated from Malaysia Multimedia University (MMU) as Bachelor (BHons) of Electronics Engineering Majoring in Computer. Started his career with CyberSecurity Malaysia as Security Analyst and currently with given trust as Research Lead (XPERTS Unit) under CyberSecurity Malaysia MySEF (CSM MySEF) Department, dedicating all his work in Common Criteria ICT product evaluation & certification and cybersecurity assessment with additions of leading a team in exploration of cybersecurity research, development and advisory that produce in-house solutions such as: test method, test tools, guideline, trainings and etc. In the domain of cybersecurity as his passion, exposed and experienced widely in the area of network security assessments, various type of penetration testing, web application assessment, web servers/appliances compliance testing and security audit. New exploration technology covers cybersecurity on Smart Card (OS, Applet & Reader) Evaluation, Hardware Security, Biometric Fingerprint Security, and innovation of assessment in Cloud Computing Security.
- 15 - 19 March 2021
- 24 - 28 May 2021
- 23 - 27 August 2021
- 11 - 15 October 2021
30 CPD Point
Please submit the Certificate of Completion to Global ACE Certification at www.globalace.org