Upload File

financial institution security top it security risk

25
Financial Institution Security Top IT Security Risk April 13, 2011 - John Abraham

Upload: redspin-inc

Post on 05-Dec-2014

624 views

Category:

Technology


4 download

Report

DESCRIPTION

Redspin founder and security evangelist, John Abraham gives a keynote speaker at a Financial Institution's Security Conference.

TRANSCRIPT

Page 1: Financial institution security top it security risk

Financial Institution SecurityTop IT Security Risk

April 13, 2011 - John Abraham

Page 2: Financial institution security top it security risk

Issue 1:Systematic Risk Management

Focus, focus,focus

Page 3: Financial institution security top it security risk

3Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...

Page 4: Financial institution security top it security risk

4

Page 5: Financial institution security top it security risk

Issue 2:Mobile Devices in the Enterprise

Page 6: Financial institution security top it security risk
Page 7: Financial institution security top it security risk

Issue 3:Wireless

Page 8: Financial institution security top it security risk

Issue 4:Social Media Information Disclosure

Page 9: Financial institution security top it security risk

Issue 5:Virtualization Sprawl

Page 10: Financial institution security top it security risk

Issue 6:3rd-Party Mobile Applications

Patch Management+

Mobile Applications

= Danger!

Page 11: Financial institution security top it security risk

Issue 7:Vendor Management

The days of “Oops, it was the vendor”

being a valid excuse for a data breach are long over.

Page 12: Financial institution security top it security risk

Issue 8:SQL Injection

Never trust the user!

Page 13: Financial institution security top it security risk

Issue 9:Inadequate Testing Programs

Existencedoes not equal

Effective

Page 14: Financial institution security top it security risk

14

Page 15: Financial institution security top it security risk

15

PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...

Page 16: Financial institution security top it security risk

16

PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...

Page 17: Financial institution security top it security risk

FreeUSB Drives+ +

Page 18: Financial institution security top it security risk
Page 19: Financial institution security top it security risk

Issue 10:Social Engineering... phishing

Our testing shows: 30% failure rate

Recent news: Epsilon breach RSA Security breach

Page 20: Financial institution security top it security risk

Issue 10.5:Lack of Mobile Device Security PolicyPolicy components: Access control Authentication Encryption Incident response Training & awareness Vulnerability management

Page 21: Financial institution security top it security risk

{ Thanks! }

John [email protected] (mobile)

mailto:[email protected]
Page 22: Financial institution security top it security risk

Summary:Top Security Risks for 2011 Risk Management Mobile Devices in the Enterprise Wireless Social Media Information Disclosure Virtualization Sprawl 3rd-Party Mobile Applications Vendor Management SQL Injection Inadequate Testing Programs Social Engineering Mobile Device Security Policy

Page 23: Financial institution security top it security risk

And from last year:Don't forget about.... Faulty DMZs Virus protection Encryption

Page 24: Financial institution security top it security risk
Page 25: Financial institution security top it security risk

Top 10 Web Security Vulnerabilities (OWASP Top 10)

TOP Security 127 NL

THE PUNJAB EMPLOYEES’ SOCIAL SECURITY INSTITUTION …

OWASP TOP 10 - Web Security

TOP Security 125 NL

Onalytica - Data Security - Top 100 Influencers and Brands · DATA SECURITY TOP 100 INFLUENCERS AND BRANDS. ... 32 Aurelie Pols AureliePols 23.93 ... Onalytica - Data Security - Top

The Top Password Security Trends

IT Security Top Quotes

Top Tactics For Endpoint Security

THE PUNJAB EMPLOYEES' SOCIAL SECURITY INSTITUTION …eproc.punjab.gov.pk/BiddingDocuments/39390_compiled list for tender... · THE PUNJAB EMPLOYEES' SOCIAL SECURITY INSTITUTION (HEAD

Top Security Predictions for 2015

Top 10 OS400 Security Risks

Protecting Your Jewish Institution: Security Strategies for Today’s … · 2018-11-21 · Protecting Your Jewish Institution: Security Strategies for Today’s Dangerous World 4

TOP Security 131 NL

2012 Top Security Threats

TOP Security 124 FR

TOP Security 126 NL

Kuwait's Public Institution for Social Security

Top web apps security vulnerabilities

TOP Security 129 NL

TOP TEN (10) Security Tips

Post-Secondary Institution Data-Security Overview and ... · Post-Secondary Institution Data-Security Overview and Requirements Tiina K.O. Rodrigue, EdDc, CISSP, CISM, PMP, CSM, CEA,

Financial Institution ACT and Security Exchange,1993

Top Five Internal Security Vulnerabilities

TOP Security 130 NL

THE PUNJAB EMPLOYEE’S SOCIAL SECURITY INSTITUTION…eproc.punjab.gov.pk/BiddingDocuments/46741_Tender S... · the punjab employee’s social security institution. (head office)

Top Application Security Threats

TOP Security 124 NL

A HOOVER INSTITUTION ESSAY Attribution of Malicious Cyber Incidents Nationa Security ... · 2020-01-21 · Nationa Security Technology an aw A HOOVER INSTITUTION ESSAY Attribution

Top 12 Mainframe Security Exposures and Lessons From … · Top 12 Mainframe Security Exposures and ... CICS, MQ Series ... Top 12 Mainframe Security Exposures and Lessons From A

Top Security Trends for 2014

Top 10 Oracle E-Business Suite Security Risks - Top 10 Oracle E-Business... · Top 10 Oracle E-Business Suite Security Risks How was the list of Top 10 security risks developed?-From

REPUBLIC OF TURKEY Social Security Institution · REPUBLIC OF TURKEY Social Security Institution ... The Brief Characteristics of Turkish Social Security ... miners or sports persons

Countering Threats to Correctional Institution Security · Rad, and Strauchs, 2011). There are a multitude of potential threats to correctional institution security. As the threats

Chris’s Top Ten Security Tips