eToken SystemeToken System

Presented By:Presented By:Abdul Mobeen Khan Abdul Mobeen Khan || Waqas Butt Waqas Butt || Mohsin Siddique Mohsin Siddique

Hamza Farooq Hamza Farooq || Wahda Fakhar Wahda Fakhar || Syed Mughees Abbas Syed Mughees Abbas

• Statistics Hamza• Issues in current system • Consumer survey • As Is token Motor Vehicle System • Proposed Payment Modes • Vision Statement Mughees• Advantages of new system introduced • To be process • ERD Mobeen• Story board • Schema • Security Waqas• Risk mitigation Wahda• Cost and Benefit Analysis Mohsin

Presentation Key Notes

Statistics

• Number of Lahore registered carsHTV:1.5 LakhLTV: 13.5 Lakh

• Number of Lahore registered cars outside Lahore.LTV: 3 Lakh

• Revenue Table Cars Amount Defaulters Total Cars in Lahore Revenue Loss (Millions)587439 2.045 billion 132561 720000 461.601643876 2.242 billion 136124 780000 474.008715765 2.492 billion 134235 850000 467.43855432 2.978 billion 84568 940000 294.481825654 2.875 billion 154346 980000 537.461697500 2.428 billion 322500 1020000 1123.003750000 2.611 billion 300000 1050000 1044.654

20082009

2004200520062007

Revenue Collected 2003

• People face difficulty in remembering the due date of token payment, this factors delays the payment.

• People have to stand in long cues in post office to pay the token.

• Improper instructions specified that how much token fee is charged for which CC of car.

• Delay of token payments, increase the arrears. So in order to reduce the arrears amount people get reduced through the excise department.

• The employees at post office record all the information on register , so this can cause mistakes in recording data in register and its time taking as well.

• The data is recorded in only one place, so there is no backup plan to keep the data in other locations as well.

• You have to pay the car token only in the designated post office.

• In case of new car than you have to pay the token first in the GPO , than afterwards next year when the token has to renewed than you will pay the token in the designated post office.

• If an individual is driving a Lahore number car outside Lahore, than the individual has to come right away to Lahore to pay the token.

• If the car owner wants to change his/her designated post office than it takes about 1 to 2 months in changing the designated post office.

• Usually people driving the car which is on somebody else name , and even of this fact the person can pay the tax.

Issues in exiting system

Q: Do you pay motor vehicle tax every year

Q: Are you currently owner of any Motor vehicle?

Consumer Survey

Q: Are you an owner of?

Q: Which Motor Vehicle category you have?

Consumer Survey (Cont’d)

Q: Are you satisfied with current tax payment medium?

Q: If No than rank the following

Consumer Survey (Cont’d)

Q: Are you willing to give token through Mobile?

Q: Are you willing to give token through Internet?

Consumer Survey (Cont’d)

Q: Are you willing to pay token through cash?

Consumer Survey (Cont’d)

Current Process

• Through Cash ( current mode )

• Through SMS

• Through Internet

Proposed Payment Modes

“Our vision is to shift the current, inefficient token tax collection system of the province of Punjab into a modern, efficient and transparent system by designing appropriate MIS systems to help Government in recovering the loss revenue and to facilitate the people in token tax submission”

Vision

• Through scanning of e-tags at all entrance / exit ways and famous roads of the cities And manually by traffic police officers.

• Does not have to hire employees,• Also save printing cost• Pay tax through various means• No Time limit for payment of tax

Advantages our eToken

• Also have account blockage facility for vehicle owner.

• More Transparency in the system.

Advantages our eToken (Cont’d)

Entities & Attributes

Entity Relationship Diagram

Schema

Story Board – GUI’s

Information Security is about preserving an organization’s overall information asset in its intended condition and ensuring its integrity, privacy, and availability to information users.

Security

NETWORK SYSTEMAPPLICATION

SECURITY

• Data Security

• Bugs in Application

• Code theft

• Virus

• Updating

• Physical security

• ISP Packaged Apps

• Firewalls

• Intrusion Detection

• VPN

• Filtering

Security (Cont’d)• Intruder deterrence:

1.Firewall2.Virus protection3.Ensuring that all computers are configured to be updated automatically4.Ongoing user education and policies

• Theft prevention:•Security marking and asset inventory•Moving the server into a secure, lockable room

• Internal security and confidentiality:1.Strong password policy and user education2.Physical security3.Review security for filing cabinets and confidential documents

1. Disaster prevention:•More frequent backups with offsite storage•Ensure backup of users’ local data•Offsite backup of critical paper documents•Regularly testing the backups by performing a restore

• Viruses, worms, Trojan horses

• Phishing, identity theft

• Physical security

• Defects in platform / patches

• Authentication / authorization

• Application security

What affects security?

• Data Security– Encryption

• Client-side Application Security– Licensing– IP Protection– Code Theft

Application Security?

• Computer crime and cyberterrorism

• Identity theft• Phishing• Pharming

• Network Sniffing

• Application vulnerability

System Vulnerability

Security Diagram

Virus

Cracker Identify theft Hackers

Spammer

Server

SSL 128 bits

WebWeb

FirewallFirewall

ServerServer

RouterRouter System 3

System 3

System 1System 1 System 2

System 2

ModemModem

ModemModem

Network Diagram

Post Office #1Post Office #1

Post Office #2Post Office #2

• Firewalls (Software, Hardware) • Routing Table

• Risk Mitigation Plan – Areas of Focus– Operations– Training– Process– Change Management

• Disaster Planning

Risk Migration Plan & Disaster Planning

Status:• Currently there is no proper storage of database in this systemPotential Risks:• The loss of the data centre would result in unacceptable service• Loss of transactions with wrong name and id.• The loss of transaction that update the database would be unacceptable• The loss of the database on local hard drives placed in the area.• False updating of ownership record. Mitigate Risks:• Introducing the software based solution to replicate transactions • Perform real-time replication of all the transactions to a second system.• Removal of the USB ports and CD drives from all the computer except for

those who are authorized to access.

Operation

Status:• Staff is not trained enough for data entry. There is no training system

provided to any of the employee.

Risk Potential:

• Since non availability of trained staff, it would be time consuming and also cost effecting.

Risk Mitigation:

• Proper training and workshops should be held to counter this problem.

• We offer one month basic computer training and also training of new system.

• Trained work force should be hired in order to make our system more efficient and swift.

Training

• Change management is the process during which the changes of a system are implemented in a controlled manner by following a pre-defined framework

• Awareness - An individual or organization must know why a specific change or series of changes are needed.

• Desire - Either the individual or organizational members must have the motivation and desire to participate in the called for change or changes.

• Knowledge - Knowing why one must change is not enough; an individual or organization must know how to change.

• Ability - Every individual and organization that truly wants to change must implement new skills and behaviors to make the necessary changes happen.

• Reinforcement - Individuals and organizations must be reinforced to sustain any changes making them the new behavior, if not; then we will evaluate the process after 3 or 6 months .

Change Management

Change Management (Cont’d)

• Behavioral Issues– Behavioral issues with the employees of GPO/ Excise– Employees willingness to accept the change– Budget approval from the Excise ministry for the new process– People's willingness to shift to new system– Insecurity among the employee– Accountability fear

• Technical Transformation– User friendliness of new system– Transformation from manual old to new system

• Cultural Issues– Conflicts between the IT and Non IT background employees– Non co-operative employees or different departments – Acculturation of GPO and excise department.

• Acceptability– Flexibility of people to accept new system through vigorous advertisements.

• Data and System migrations– Transformation and up-gradation of raw data in to database

• Champions. (Mr. Pervez – Supervisor Person)– Creating champions and support people to implement the system

Change Management (Cont’d)

• Some data types that you should take into consideration for organization on a central repository are as follows:

• Key customer files: Contracts, agreements, contact information, proposals• User login data: Profiles, UNIX .dot files, Config.sys files, Autoexec.bat files• Network infrastructure files: DNS, WINS, DHCP, router tables• User directories: User policies and privileges.• Application data: Databases, Web site source code & files• Security configuration files: ACLs, firewall rules, IDS configuration files, UNIX

password/shadow files, Microsoft Windows SAM database, VPN configuration files, RADIUS configuration files

• Messaging files: key configuration files, user mailboxes, system accounts• Engineer files: source code.• Financial and company files: General ledger, insurance policies, accounts payable

and accounts receivable files.

Key Resources

Disaster PlanningStatus:• No back up system in place.

Potential Risk:• The loss of the vehicle data centre would result in unacceptable loss.• Unauthorized access of data base on different levels of employees.• Electricity failure• The current firewall is the single point of failure.• Application gets corrupted.• No backup plan for the database recovery.• Virus attack

Plans to Mitigate Risk:• Build a second data centre completely in both the GPO.• System will provide its own logins and passwords to each employee in order to check or

track any activity done by employee .• Purchase another firewall, identical to the current firewall and configure so that firewall

service will continue to be delivered in the event that one firewall goes down. May be integrated into second data for improved reliability.

• Two backup systems are induced in order to minimize the risk of losing database.• Automatic generators will be provided with UPS attached with each computer.• Regular Antivirus updating.

• One Time CostSoftware 500,000Data Entry 2,400,000Generator up gradation 50,000Training 400,000PO System cost 1,620,000Printers at PO 210,000Server Cost 200,000Help line Number 100,000

Total one time cost 5,480,000

Data Entry

Total Forms 800000

Rate per form Rs 3 each

Training

Computer Diploma for 80 employees

Cost of diploma for each employee Rs 5000

PO systems cost

Computer 9800

DSL Connection 1200

Printer 6500

UPS (500wt) 9500

Total 27000

E-Tag PrintersTotal Printer 65

Cost of Printer Rs 3200 each

Cost & Benefit Analysis

Cost & Benefit Analysis (Cont’d)

• Operating ExpensesCard Printing 2,425,000Mobile software/annum 500,000Commission 28,687,285E-Tag 3,900,000Helpline staff/annum 528,000Networking cost/annum 84,000Domain/annum 24,000SSL Security/annum 85,000Antivirus 100,000Anti Hacker/annum 85,000Advertisement 13,699,061Total Operating Expenses 49,687,346

Denomination Qty Rate Amount

50 0.5m 0.35 .175m

100 0.8m 0.35 .280m

500 1.6m 0.35 .700m

1000 1.8m 0.65 1.30m

2000 0.7m 0.65 .650m

5000 0.3m 0.65 .195m

Total 2.42m

Card Printing

Allocation of Cards

Retail Stores 60 24% 3%

Post Offices 160 63% 1.5%

GPO (Punjab) 33 13% 1.5%E-Tag

Printing cost Rs 2.6 each

Estimated Qty 1.5m

Print Media 87%

Bill Boards 3%

Websites 4%

FM Channels 7%

Advertisement

Cost & Benefit Analysis (Cont’d)

• Increased in Revenue Revenue from new Token 507,010,528 Saving printing 150,000

Total Direct Revenue 507,160,528 Indirect Revenue 15,166,906

Total Revenue 522,327,434

Category Percentage (R) Percentage (N)

1000cc 20% 46%

Up to 1300 23% 26%

1300-1500 12% 8%

1600 17% 10%

2000 10% 5%

2500 10% 3%

Above 2500 7% 2%

Revenue Calculation

Total Revenue 522,327,434

Total one time cost 5,480,000

Total Operating cost 49,687,346

Net Benefit 467,160,088

Net Benefit

Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".The term pharming is a neologism based on farming and phishing. Phishing is a type of social engineering attack to obtain access credentials such as user names and passwords. In recent years both pharming and phishing have been used for online identity theft information. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.[1] Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.[1] Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. [1] In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.[1] IDPSs have become a necessary addition to the security infrastructure of nearly every organization.[1]

When Hackers Attackwhy?

• Monetary• Denial of Service/Publicity

– Spammers– Extortionists

• Eavesdropping ($$$)• Intellectual Property/Idea Theft• Script Kiddie fame• Black Hat