© sean clark director of information security practice brintech, inc. 124 canal street new smyrna...
TRANSCRIPT
©
Sean ClarkDirector of Information Security Practice
Brintech, Inc.124 Canal Street
New Smyrna Beach, FL 32168800.929.2746
©
Managing Information Security, an Increasing Risk
December 11th, 2006
2
©
Session Overview
Understand “Today’s” Security Strategy The cost of security control Understand , Find, and mitigate the
risks!! New Threats for today’s Delivery
channels
3
©
The Security Strategy
4
©Image from: http://global.mci.com/us/enterprise/govt/igs/security/strategy_sm.gif
5
©
The Security Strategy
First we need Corporate Governance! Then we must understand how much is
too much to spend! Then we must deploy technology with
the most ROI and maintain metrics Continue technology upgrades as
threats evolve; remove dead wood
6
©
CEO’s Historic Focus
Increasing Shareholder Value Improving Earnings Customer Satisfaction Growth of organization
7
©
Impacts to Focus
Brokerages, Insurance companies and other non-traditional banking institutions competing for business
Internet innovation and online competition
Security Threats impacting availability, confidentiality and integrity of information.
8
©
Typical Perspective
Taking the ‘insurance stance’: Beware false sense of security
Perception that Security investments can not be measured in terms of ROI.
If there is an incident….we can manage the risk internally to protect the reputation without increased risk.
9
©
Paradigm Shift in Perspective
Acquiring and retaining customers depends on how well you service them and maintain their confidence or trust.
There are metrics to identify the threshold of spending but ROI is still difficult to measure
Breach of customer confidence impacts earnings, and ultimately shareholder value.
Regulations require disclosure of data loss.
10
©
Financial Impacts
2003 Study stated average drop in share price for 22 publicly held companies reporting a security breach was 5.6% in the first 3 days, eroding a total of $15-$20 million in shareholder value.
11
©
12
©
13
©
Old Paradigm of Security
5k per drawer * 200 tellers: $1,000,000 $6/hr rate 15 minute balance per day= 15 min 1/4hr * $6 /hr = $1.50 pr/day * 200
Tellers=$300 a day $300 * 280 (working days) = $84,000
$84k spent to count/protect $1,000,000
14
©
New Paradigm
Customer data is more valuable Financial transactions are electronic Data resides on multiple systems and
on the wire. It’s not just in the drawer and vault! It’s
EVERYWHERE
15
©
16
©
17
©
18
©
Are we spending enough?
$129k for a Billion Dollar Bank yearly:
$354 per day
19
©
What scenarios apply?
Virus Infection Spam prevention Phishing or Pharming Network Breach/Web Site defacement Information Theft MCIF theft Etc…
20
©
The Danger of the Unknown Unknown
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, thereare things that we know we don't know. But there are alsounknown unknowns. There are things we don't know we don't know.” - Secretary of Defense Donald H. Rumsfeld
21
©
22
©
Application InSecurities
Gartner states: 80% of web applications put into production through 2007 will fail due to poor quality issues.
Most deployments of applications within the organization are not reviewed for their security prior to deployment.
Responsibility turns to the IT staff of the organization once the technology is deployed.
23
©
Paradigm Shift in Perspective
A well-managed information security program can provide a competitive advantage by positively affecting customer acquisition and retention, the cornerstone to any business' ability to generate revenue
Institutions that conduct business online must view information security as a business enabler and not a cost of doing business.
More and more systems use web based applications; increasing risk to the institution.
24
©
Paradigm Shift in Perspective
Evolving and emerging threats from increased delivery channel expansion requires attention in an ‘inside-out’ approach.
Protect core applications first, then use layered security outward to the host and network.
25
©
If you don’t?
Insider threat, data theft… Exposure of most valuable assets?
(customer information) Data corruption Reputational Risks Bank Fines, closure….loss of
shareholder value
26
©
Paradigm Shift : The Solution
Combine Governance and technology!– Top Down acceptance and enforcement– Exercise ‘worse case scenarios and
responses’
Most companies respond with appropriate
governance 70% of time after an incident.
27
©
Regulatory Scrutiny Increases
Gramm-Leach-Bliley Act– (http://www.ftc.gov/privacy/glbact/)
Sarbanes-Oxley Act– (http://www.sarbanes-oxley.com/)
NASD Sec 17/A3-4– (http://www.sec.gov/)
USA Patriot Act– (http://www.epic.org/privacy/terrorism/hr3162.html)
BSA (Bank Secrecy Act)– (http://www.ffiec.gov)
28
©
Verbiage from Proposed Bill …. we would require companies that have databases with sensitive
personal information on Americans to establish and implement data privacy and security programs. In the digital age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain which contain Americans' private data. They also have a responsibility in the next link in the security chain, to make sure that contractors hired to process data are adequately vetted to keep the personal information in these databases secure. This is increasingly important as Americans' personal information more and more is outsourced for processing overseas and beyond U.S. laws.
http://www.govtrack.us/congress/record.xpd?id=109-s20050929-56&bill=s109-1789#sMonoElementm1m0m0m
29
©
Verbiage from Proposed Bill …. our bill requires notice when sensitive personal information has
been compromised. The American people have a right to know when they are at risk because of corporate failures to protect their data, or when a criminal has infiltrated data systems. The notice rules in our bill were carefully crafted to ensure that the trigger for notice is tied to "significant risk of harm" with appropriate checks-and-balances, in order to make sure that companies do not underreport. We also recognize important fraud prevention techniques that already exist. But our priority has been to make sure that victims have critical information as a roadmap that offers the assistance necessary to protect themselves, their families and their financial well-being.
http://www.govtrack.us/congress/record.xpd?id=109-s20050929-56&bill=s109-1789#sMonoElementm1m0m0m
30
©
Focus is changing
Regulators will be forced to respond with more guidance (at least) if these bills are passed, requiring even more focus on security controls within your financial institutions!!
31
©
What to do
32
©
Delivery Channels
Methods to offer banking “anywhere, anytime” to customers that collectively provide the customer with a single, consistent view of the institution
33
©
Traditional Delivery Channels
34
©
Delivery Channels Today
Internet
$
Financial Institution
PBX
FedLine
Check Clearingand
Courier Mail
Internet User
Core System
Check Images
Loan Database
Financial TrustDatabse
Human Resources
Modem
SD
Cisco 1720
BRIS/T
CONSOLE
AUXWIC 0 OK
OK
B2
B1
WIC 1 OK
DSUCPU
LNK100FDX
S3
LOOP
LP
PrivateWANto Fed
Modem
ACH
Online Banking prBill Pay
PayPal/FirePay
Internet ACH update
Check 21
Endpoint Exchange
$
Bank
Touch Tone Teller& Direct Call
ATM System
Walk-In/ Drive InHolding Company
FAX
InstantMessaging/Chat Rooms
35
©
How is it different ????
Interactive? Transaction based? Encrypted? Network based vs. traditional methods? Decentralization of Customer
Information.
36
©
The Great Ideas!
37
©
Leveraging Technology
Loan Officers in the field (laptops) Remote Deposits (IRD??) Remote LockBox access Remote Check Recon. Check 21 (Image Exchange) Two Factor Authentication
38
©
Managing Information Security Risk
InfoSec Governance Understand the risks Assess current security levels Implement risk mitigating changes Include mobile devices!!! Enforce through policies written/elec. Train employees and staff
39
©
Understand the Risks
Customer information privacy! Access to bank network (passwords) Bank liability (reputation, etc) Network virus infection (crash network) Hacker intrusion (full/partial breach)
40
©
Assess Current Security Levels
Have security assessment performed Understand the types of testing
– Vulnerability vs. penetration testing– Internal vs. external– Intrusion Testing– Application review
Ensure assessment covers all network points of risk relating to financial institutions.
Include Mobile Devices
41
©
42
©
Include Mobile Devices
Mobile Devices are an extension of the internal bank network that creates potential risks to bank systems and the customer data protected by them.
43
©
FDIC Defines Testing/Prevention
“Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution’s information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems.”
- FDIC FIL-68-99
44
©
45
©
Hype Cycle
46
©
Security 101: The Basics
C.I.A.: – Confidentiality– Integrity– Availability
Awareness is key:– Can’t respond without knowledge– Can’t prevent without foresight– Can’t research/investigate without evidence– Can’t prosecute without proof
47
©
Delivery Channel
ATM / Credit / Debit Cards: Cards used for purchase, account query, or other transactions from multiple endpoints– IP-enabled ATMs (Diebold, NCR, etc)– Cash dispensers– Point-of-purchase devices– Online purchases
48
©
Card Risks (Medium to High)
Stolen card number or Pilfered PIN (phishing)
Network breach of ATM system (IP-enabled)
Physical breach of ATM Card reader / writer (USB-enabled)
49
©
ATM/Debit/Credit Card
50
©
Card Reader/Printer/Encoder
51
©
Fixes to Card Risks
Phishing: Educate consumers!! Inspect ATM machine on a regular
basis Isolate ATM to separate network from
institutions network Educate Customers Consider new RFID technology Risks Understand future trends
52
©
ATM Theft
If they steal the box, they get all the internal configuration information.
53
©
Weak ATM systems
54
©
RF-ID ATM Cards
55
©
eWallet and JavaCards
56
©
Delivery Channel
Internet Direct: Direct communications which occur with direct contact to the bank’s network– External attacks– Website (hosted internal)– Website (hosted external)– Internet banking (hosted internal)– Back-end imaging– Lockbox– Cash management offerings– Internet banking (hosted external)– Back-end imaging
57
©
Direct Internet Risks(Extremely High) Internet breach Spoofing of data or e-mail Interception of log-on credentials Information theft The list goes on and on!
58
©
Do you have one of these?
Web Email System? In-house Ibanking? In-house LockBox In-house Check Recon system? In-house Net-Deposit system?
59
©
If so, what you should do
Ensure it is in a properly filtered DMZ Ensure the communications are
encrypted, especially logon credentials. Ensure HIDs agents are installed and
monitored for intrusion Ensure the systems are tested Ensure 2 Factor authentication where
possible.
60
©
Do you have these?
Firewalls? Network Based IDS/IPS? Host Based IDS/IPS? Security Event Log Management? Monitored Security?
61
©
How do they operate?
Firewall: Brick Building Intrusion Detection Systems: car alarm Intrusion Prevention System: trap door Security Event Logging: alarm printer Monitoring: Security Alarm Company
62
©
Fixes to Direct Internet Risks
Have a proper Information Security Program in place to cover– Network Security Assessment– Identification of risks– Implementation of mitigating actions to
prevent risk exploitation– Enforcement of policies– Re-evaluation on at least an annual basis
63
©
Delivery Channel
Internet InDirect: Indirect Internet activities which could usurp security and allow a transaction to occur illegally– Remote user access– Phishing– Social engineering– Mobile device risks
64
©
Indirect Internet Risks (High)
Remote bank employee accessing bank resources from unsecured networks are hijacked– Keystroke loggers– Trojan horses, worms
Educate customers about phishing Employees socially engineered to allow access
(phone or in-person) Mobile device risks (laptops, PDAs, thumb drives)
containing non-public customer data Rogue wireless network access to bank network Instant messaging poses risk
65
©
Fixes to Indirect Internet Risks
Restrict use of VPNs and enforce security measures to only allow bank managed devices to attach
Filter traffic allowed into the internal network from VPN and remote entities.
Implement two-factor authentication to protect remote log-on credentials
Implement firewalls, virus protection, and patch management
66
©
Train employees on social engineering tactics regularly
Limit and control use of mobile devices Check for rogue wireless networks
– Wireless Scanner, etc. Control and monitor Internet traffic
content– WebSense, SurfControl, etc.
Fixes to Indirect Internet Risks
67
©
WiFi Rogue AP
68
©
Disable USB Thumb Drives
Windows:– Change permissions of or delete the
USBSTOR.sys file on each system through GPO or manually.
– This will not allow the plug and play system to install the thumbdrive.
– This does not prevent the driver from being used if already installed.
69
©
Disable Blue-Tooth/ IR –More!
Disable in system BIOS Do not order systems (laptops) with the
capabilities Remove and control the driver
installation same way as USBstor.sys http://support.microsoft.com/
default.aspx?scid=kb;en-us;555324
70
©
More controls CDR/W-DVR/W
Disable or don’t install Write-Once media
– CDR/W– DVR/W
71
©
Open Discussion