financial industry security by ron widitz, msit ‘07
TRANSCRIPT
![Page 1: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/1.jpg)
Financial Industry Financial Industry SecuritySecurity
by Ron Widitz, MSIT ‘07by Ron Widitz, MSIT ‘07
![Page 2: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/2.jpg)
Security is only as strong as Security is only as strong as the weakest link.the weakest link.
Paranoid or prudent?Paranoid or prudent?
![Page 3: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/3.jpg)
Why bother?Why bother?
Guard firm’s reputationGuard firm’s reputation Avoid litigationAvoid litigation Retain competitive standingRetain competitive standing Maintain trustMaintain trust
– CustomersCustomers– MerchantsMerchants– Business partners/vendorsBusiness partners/vendors
![Page 4: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/4.jpg)
RegulationRegulation
FDICFDIC GLBAGLBA PCI DSSPCI DSS State/Federal/State/Federal/
IntlIntl– fraud detectionfraud detection– anti-money anti-money
launderinglaundering
SECSEC Sarbanes-Sarbanes-
OxleyOxley HIPAAHIPAA auditaudit
……
![Page 5: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/5.jpg)
Managing RiskManaging Risk
Balance what’s practical with:Balance what’s practical with: Basic security componentsBasic security components
– ConfidentialityConfidentiality– AuthenticityAuthenticity– IntegrityIntegrity– AvailabilityAvailability
![Page 6: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/6.jpg)
Defense in DepthDefense in Depth
PhysicalPhysical NetworkNetwork Hardware/DevicesHardware/Devices System/Application SoftwareSystem/Application Software Controls/policy/SOPsControls/policy/SOPs
![Page 7: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/7.jpg)
PhysicalPhysical
Building/premisesBuilding/premises– BarricadesBarricades– SurveillanceSurveillance– Layout & accessLayout & access
Credit/debit card Credit/debit card concernsconcerns– SkimmingSkimming– Identity theftIdentity theft
![Page 8: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/8.jpg)
Physical barricade?Physical barricade?
![Page 9: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/9.jpg)
Physical barricadesPhysical barricades
Guard Guard stationsstations
BollardsBollards
![Page 10: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/10.jpg)
Guard station?Guard station?
![Page 11: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/11.jpg)
Bollard effectivenessBollard effectiveness
![Page 12: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/12.jpg)
Physical accessPhysical access
Card-key accessCard-key access– plus 2-factor or biometricsplus 2-factor or biometrics
X-ray machines for all packagesX-ray machines for all packages Winding roads vs. straightWinding roads vs. straight Hide data centersHide data centers
– no external signageno external signage– floor plans not registered with villagefloor plans not registered with village
![Page 13: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/13.jpg)
Physical Physical monitoringmonitoring Incident response teamsIncident response teams Live monitored CCTVLive monitored CCTV Constant surveillanceConstant surveillance
![Page 14: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/14.jpg)
Physical plasticPhysical plastic
Magnetic stripe or RFID or smartcardMagnetic stripe or RFID or smartcard HologramHologram CreditCredit
– Signature, account, CID, expire dateSignature, account, CID, expire date DebitDebit
– Account and pin# or signatureAccount and pin# or signature Online secure/generated account/CIDOnline secure/generated account/CID
![Page 15: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/15.jpg)
CID: not-present CID: not-present verificationverification
![Page 16: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/16.jpg)
Information SecurityInformation Security
is protection againstis protection against– Unauthorized access to or modification Unauthorized access to or modification
of information (storage, processing, of information (storage, processing, transit)transit)
– Denial of service to authorized usersDenial of service to authorized users– Provision of service to the unauthorizedProvision of service to the unauthorized
includes measures necessary to includes measures necessary to detect, document and counter such detect, document and counter such threatsthreats
![Page 17: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/17.jpg)
NetworkNetwork
FirewallFirewall IDSIDS Proxy serverProxy server EncryptionEncryption DR / BCPDR / BCP Threat modelingThreat modeling Trust boundaries / zonesTrust boundaries / zones
![Page 18: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/18.jpg)
Threat ModelingThreat Modeling
Enumerate risks:Enumerate risks:– Assets, entry points, data flowAssets, entry points, data flow
Data Flow Diagram and decompositionData Flow Diagram and decomposition
![Page 19: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/19.jpg)
3-Zone Security 3-Zone Security ArchitectureArchitecture
![Page 20: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/20.jpg)
Social EngineeringSocial Engineering
Persuasion viaPersuasion via– trust of otherstrust of others– desire to helpdesire to help– fear of getting in troublefear of getting in trouble
PhishingPhishing Dumpster divingDumpster diving
![Page 21: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/21.jpg)
SoftwareSoftware
Access controlAccess control Defensive design/codingDefensive design/coding Live/penetration testingLive/penetration testing Backups/change controlBackups/change control Field-level encryptionField-level encryption
![Page 22: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/22.jpg)
Access ControlAccess Control
AuthenticationAuthentication– identity confirmationidentity confirmation
AuthorizationAuthorization– permission often role-basedpermission often role-based
AccountabilityAccountability– logging / auditlogging / audit
![Page 23: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/23.jpg)
Defensive Defensive design/codingdesign/coding Vulnerability ClassificationVulnerability Classification
– design, implementation, operationaldesign, implementation, operational relevant: touches inputrelevant: touches input related: enforce via crypto, logging, configrelated: enforce via crypto, logging, config
Code Assessment StrategyCode Assessment Strategy– Code comprehension, candidate point Code comprehension, candidate point
analysis, design generalizationanalysis, design generalization Coding standards/best practicesCoding standards/best practices
![Page 24: Financial Industry Security by Ron Widitz, MSIT ‘07](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d015503460f949d46c8/html5/thumbnails/24.jpg)
Q&AQ&A
?