Financial Industry Security

Financial Industry Financial Industry SecuritySecurityby Ron Widitz, MSIT ‘07by Ron Widitz, MSIT ‘07

Security is only as strong as Security is only as strong as the weakest link.the weakest link.

Paranoid or prudent?Paranoid or prudent?

Why bother?Why bother? Guard firm’s reputationGuard firm’s reputation Avoid litigationAvoid litigation Retain competitive standingRetain competitive standing Maintain trustMaintain trust

– CustomersCustomers– MerchantsMerchants– Business partners/vendorsBusiness partners/vendors

RegulationRegulation FDICFDIC GLBAGLBA PCI DSSPCI DSS State/Federal/State/Federal/

IntlIntl– fraud detectionfraud detection– anti-money anti-money

launderinglaundering

SECSEC Sarbanes-Sarbanes-

OxleyOxley HIPAAHIPAA auditaudit

……

Managing RiskManaging Risk Balance what’s practical with:Balance what’s practical with: Basic security componentsBasic security components

– ConfidentialityConfidentiality– AuthenticityAuthenticity– IntegrityIntegrity– AvailabilityAvailability

Defense in DepthDefense in Depth PhysicalPhysical NetworkNetwork Hardware/DevicesHardware/Devices System/Application SoftwareSystem/Application Software Controls/policy/SOPsControls/policy/SOPs

PhysicalPhysical Building/premisesBuilding/premises

– BarricadesBarricades– SurveillanceSurveillance– Layout & accessLayout & access

Credit/debit card Credit/debit card concernsconcerns– SkimmingSkimming– Identity theftIdentity theft

Physical barricade?Physical barricade?

Physical barricadesPhysical barricades Guard Guard

stationsstations BollardsBollards

Guard station?Guard station?

Bollard effectivenessBollard effectiveness

Physical accessPhysical access Card-key accessCard-key access

– plus 2-factor or biometricsplus 2-factor or biometrics X-ray machines for all packagesX-ray machines for all packages Winding roads vs. straightWinding roads vs. straight Hide data centersHide data centers

– no external signageno external signage– floor plans not registered with villagefloor plans not registered with village

Physical Physical monitoringmonitoring Incident response teamsIncident response teams Live monitored CCTVLive monitored CCTV Constant surveillanceConstant surveillance

Physical plasticPhysical plastic

Magnetic stripe or RFID or smartcardMagnetic stripe or RFID or smartcard HologramHologram CreditCredit

– Signature, account, CID, expire dateSignature, account, CID, expire date DebitDebit

– Account and pin# or signatureAccount and pin# or signature Online secure/generated account/CIDOnline secure/generated account/CID

CID: not-present CID: not-present verificationverification

Information SecurityInformation Security is protection againstis protection against

– Unauthorized access to or modification of Unauthorized access to or modification of information (storage, processing, transit)information (storage, processing, transit)

– Denial of service to authorized usersDenial of service to authorized users– Provision of service to the unauthorizedProvision of service to the unauthorized

includes measures necessary to includes measures necessary to detect, document and counter such detect, document and counter such threatsthreats

NetworkNetwork FirewallFirewall IDSIDS Proxy serverProxy server EncryptionEncryption DR / BCPDR / BCP Threat modelingThreat modeling Trust boundaries / zonesTrust boundaries / zones

Threat ModelingThreat Modeling Enumerate risks:Enumerate risks:

– Assets, entry points, data flowAssets, entry points, data flow Data Flow Diagram and decompositionData Flow Diagram and decomposition

3-Zone Security 3-Zone Security ArchitectureArchitecture

Social EngineeringSocial Engineering Persuasion viaPersuasion via

– trust of otherstrust of others– desire to helpdesire to help– fear of getting in troublefear of getting in trouble

PhishingPhishing Dumpster divingDumpster diving

SoftwareSoftware Access controlAccess control Defensive design/codingDefensive design/coding Live/penetration testingLive/penetration testing Backups/change controlBackups/change control Field-level encryptionField-level encryption

Access ControlAccess Control AuthenticationAuthentication

– identity confirmationidentity confirmation AuthorizationAuthorization

– permission often role-basedpermission often role-based AccountabilityAccountability

– logging / auditlogging / audit

Defensive Defensive design/codingdesign/coding Vulnerability ClassificationVulnerability Classification

– design, implementation, operationaldesign, implementation, operational relevant: touches inputrelevant: touches input related: enforce via crypto, logging, configrelated: enforce via crypto, logging, config

Code Assessment StrategyCode Assessment Strategy– Code comprehension, candidate point Code comprehension, candidate point

analysis, design generalizationanalysis, design generalization Coding standards/best practicesCoding standards/best practices

Q&AQ&A

?