Post on 01-Jan-2017
Financial Industry Financial Industry SecuritySecurityby Ron Widitz, MSIT ‘07by Ron Widitz, MSIT ‘07
Security is only as strong as Security is only as strong as the weakest link.the weakest link.
Paranoid or prudent?Paranoid or prudent?
Why bother?Why bother? Guard firm’s reputationGuard firm’s reputation Avoid litigationAvoid litigation Retain competitive standingRetain competitive standing Maintain trustMaintain trust
– CustomersCustomers– MerchantsMerchants– Business partners/vendorsBusiness partners/vendors
RegulationRegulation FDICFDIC GLBAGLBA PCI DSSPCI DSS State/Federal/State/Federal/
IntlIntl– fraud detectionfraud detection– anti-money anti-money
launderinglaundering
SECSEC Sarbanes-Sarbanes-
OxleyOxley HIPAAHIPAA auditaudit
……
Managing RiskManaging Risk Balance what’s practical with:Balance what’s practical with: Basic security componentsBasic security components
– ConfidentialityConfidentiality– AuthenticityAuthenticity– IntegrityIntegrity– AvailabilityAvailability
Defense in DepthDefense in Depth PhysicalPhysical NetworkNetwork Hardware/DevicesHardware/Devices System/Application SoftwareSystem/Application Software Controls/policy/SOPsControls/policy/SOPs
PhysicalPhysical Building/premisesBuilding/premises
– BarricadesBarricades– SurveillanceSurveillance– Layout & accessLayout & access
Credit/debit card Credit/debit card concernsconcerns– SkimmingSkimming– Identity theftIdentity theft
Physical barricade?Physical barricade?
Physical barricadesPhysical barricades Guard Guard
stationsstations BollardsBollards
Guard station?Guard station?
Bollard effectivenessBollard effectiveness
Physical accessPhysical access Card-key accessCard-key access
– plus 2-factor or biometricsplus 2-factor or biometrics X-ray machines for all packagesX-ray machines for all packages Winding roads vs. straightWinding roads vs. straight Hide data centersHide data centers
– no external signageno external signage– floor plans not registered with villagefloor plans not registered with village
Physical Physical monitoringmonitoring Incident response teamsIncident response teams Live monitored CCTVLive monitored CCTV Constant surveillanceConstant surveillance
Physical plasticPhysical plastic
Magnetic stripe or RFID or smartcardMagnetic stripe or RFID or smartcard HologramHologram CreditCredit
– Signature, account, CID, expire dateSignature, account, CID, expire date DebitDebit
– Account and pin# or signatureAccount and pin# or signature Online secure/generated account/CIDOnline secure/generated account/CID
CID: not-present CID: not-present verificationverification
Information SecurityInformation Security is protection againstis protection against
– Unauthorized access to or modification of Unauthorized access to or modification of information (storage, processing, transit)information (storage, processing, transit)
– Denial of service to authorized usersDenial of service to authorized users– Provision of service to the unauthorizedProvision of service to the unauthorized
includes measures necessary to includes measures necessary to detect, document and counter such detect, document and counter such threatsthreats
NetworkNetwork FirewallFirewall IDSIDS Proxy serverProxy server EncryptionEncryption DR / BCPDR / BCP Threat modelingThreat modeling Trust boundaries / zonesTrust boundaries / zones
Threat ModelingThreat Modeling Enumerate risks:Enumerate risks:
– Assets, entry points, data flowAssets, entry points, data flow Data Flow Diagram and decompositionData Flow Diagram and decomposition
3-Zone Security 3-Zone Security ArchitectureArchitecture
Social EngineeringSocial Engineering Persuasion viaPersuasion via
– trust of otherstrust of others– desire to helpdesire to help– fear of getting in troublefear of getting in trouble
PhishingPhishing Dumpster divingDumpster diving
SoftwareSoftware Access controlAccess control Defensive design/codingDefensive design/coding Live/penetration testingLive/penetration testing Backups/change controlBackups/change control Field-level encryptionField-level encryption
Access ControlAccess Control AuthenticationAuthentication
– identity confirmationidentity confirmation AuthorizationAuthorization
– permission often role-basedpermission often role-based AccountabilityAccountability
– logging / auditlogging / audit
Defensive Defensive design/codingdesign/coding Vulnerability ClassificationVulnerability Classification
– design, implementation, operationaldesign, implementation, operational relevant: touches inputrelevant: touches input related: enforce via crypto, logging, configrelated: enforce via crypto, logging, config
Code Assessment StrategyCode Assessment Strategy– Code comprehension, candidate point Code comprehension, candidate point
analysis, design generalizationanalysis, design generalization Coding standards/best practicesCoding standards/best practices
Q&AQ&A
?