Financial Industry Financial Industry SecuritySecurity

by Ron Widitz, MSIT ‘07by Ron Widitz, MSIT ‘07

Security is only as strong as Security is only as strong as the weakest link.the weakest link.

Paranoid or prudent?Paranoid or prudent?

Why bother?Why bother?

Guard firm’s reputationGuard firm’s reputation Avoid litigationAvoid litigation Retain competitive standingRetain competitive standing Maintain trustMaintain trust

– CustomersCustomers– MerchantsMerchants– Business partners/vendorsBusiness partners/vendors

RegulationRegulation

FDICFDIC GLBAGLBA PCI DSSPCI DSS State/Federal/State/Federal/

IntlIntl– fraud detectionfraud detection– anti-money anti-money

launderinglaundering

SECSEC Sarbanes-Sarbanes-

OxleyOxley HIPAAHIPAA auditaudit

……

Managing RiskManaging Risk

Balance what’s practical with:Balance what’s practical with: Basic security componentsBasic security components

– ConfidentialityConfidentiality– AuthenticityAuthenticity– IntegrityIntegrity– AvailabilityAvailability

Defense in DepthDefense in Depth

PhysicalPhysical NetworkNetwork Hardware/DevicesHardware/Devices System/Application SoftwareSystem/Application Software Controls/policy/SOPsControls/policy/SOPs

PhysicalPhysical

Building/premisesBuilding/premises– BarricadesBarricades– SurveillanceSurveillance– Layout & accessLayout & access

Credit/debit card Credit/debit card concernsconcerns– SkimmingSkimming– Identity theftIdentity theft

Physical barricade?Physical barricade?

Physical barricadesPhysical barricades

Guard Guard stationsstations

BollardsBollards

Guard station?Guard station?

Bollard effectivenessBollard effectiveness

Physical accessPhysical access

Card-key accessCard-key access– plus 2-factor or biometricsplus 2-factor or biometrics

X-ray machines for all packagesX-ray machines for all packages Winding roads vs. straightWinding roads vs. straight Hide data centersHide data centers

– no external signageno external signage– floor plans not registered with villagefloor plans not registered with village

Physical Physical monitoringmonitoring Incident response teamsIncident response teams Live monitored CCTVLive monitored CCTV Constant surveillanceConstant surveillance

Physical plasticPhysical plastic

Magnetic stripe or RFID or smartcardMagnetic stripe or RFID or smartcard HologramHologram CreditCredit

– Signature, account, CID, expire dateSignature, account, CID, expire date DebitDebit

– Account and pin# or signatureAccount and pin# or signature Online secure/generated account/CIDOnline secure/generated account/CID

CID: not-present CID: not-present verificationverification

Information SecurityInformation Security

is protection againstis protection against– Unauthorized access to or modification Unauthorized access to or modification

of information (storage, processing, of information (storage, processing, transit)transit)

– Denial of service to authorized usersDenial of service to authorized users– Provision of service to the unauthorizedProvision of service to the unauthorized

includes measures necessary to includes measures necessary to detect, document and counter such detect, document and counter such threatsthreats

NetworkNetwork

FirewallFirewall IDSIDS Proxy serverProxy server EncryptionEncryption DR / BCPDR / BCP Threat modelingThreat modeling Trust boundaries / zonesTrust boundaries / zones

Threat ModelingThreat Modeling

Enumerate risks:Enumerate risks:– Assets, entry points, data flowAssets, entry points, data flow

Data Flow Diagram and decompositionData Flow Diagram and decomposition

3-Zone Security 3-Zone Security ArchitectureArchitecture

Social EngineeringSocial Engineering

Persuasion viaPersuasion via– trust of otherstrust of others– desire to helpdesire to help– fear of getting in troublefear of getting in trouble

PhishingPhishing Dumpster divingDumpster diving

SoftwareSoftware

Access controlAccess control Defensive design/codingDefensive design/coding Live/penetration testingLive/penetration testing Backups/change controlBackups/change control Field-level encryptionField-level encryption

Access ControlAccess Control

AuthenticationAuthentication– identity confirmationidentity confirmation

AuthorizationAuthorization– permission often role-basedpermission often role-based

AccountabilityAccountability– logging / auditlogging / audit

Defensive Defensive design/codingdesign/coding Vulnerability ClassificationVulnerability Classification

– design, implementation, operationaldesign, implementation, operational relevant: touches inputrelevant: touches input related: enforce via crypto, logging, configrelated: enforce via crypto, logging, config

Code Assessment StrategyCode Assessment Strategy– Code comprehension, candidate point Code comprehension, candidate point

analysis, design generalizationanalysis, design generalization Coding standards/best practicesCoding standards/best practices

Q&AQ&A

?