240 likes | 332 Vues
Financial Industry Security. by Ron Widitz, MSIT ‘07. Security is only as strong as the weakest link. Paranoid or prudent?. Why bother?. Guard firm’s reputation Avoid litigation Retain competitive standing Maintain trust Customers Merchants Business partners/vendors. FDIC GLBA
E N D
Financial Industry Security by Ron Widitz, MSIT ‘07
Security is only as strong as the weakest link. Paranoid or prudent?
Why bother? • Guard firm’s reputation • Avoid litigation • Retain competitive standing • Maintain trust • Customers • Merchants • Business partners/vendors
FDIC GLBA PCI DSS State/Federal/Intl fraud detection anti-money laundering SEC Sarbanes-Oxley HIPAA audit … Regulation
Managing Risk • Balance what’s practical with: • Basic security components • Confidentiality • Authenticity • Integrity • Availability
Defense in Depth • Physical • Network • Hardware/Devices • System/Application Software • Controls/policy/SOPs
Physical • Building/premises • Barricades • Surveillance • Layout & access • Credit/debit card concerns • Skimming • Identity theft
Physical barricades • Guard stations • Bollards
Physical access • Card-key access • plus 2-factor or biometrics • X-ray machines for all packages • Winding roads vs. straight • Hide data centers • no external signage • floor plans not registered with village
Physical monitoring • Incident response teams • Live monitored CCTV • Constant surveillance
Physical plastic • Magnetic stripe or RFID or smartcard • Hologram • Credit • Signature, account, CID, expire date • Debit • Account and pin# or signature • Online secure/generated account/CID
Information Security • is protection against • Unauthorized access to or modification of information (storage, processing, transit) • Denial of service to authorized users • Provision of service to the unauthorized • includes measures necessary to detect, document and counter such threats
Network • Firewall • IDS • Proxy server • Encryption • DR / BCP • Threat modeling • Trust boundaries / zones
Threat Modeling • Enumerate risks: • Assets, entry points, data flow • Data Flow Diagram and decomposition
Social Engineering • Persuasion via • trust of others • desire to help • fear of getting in trouble • Phishing • Dumpster diving
Software • Access control • Defensive design/coding • Live/penetration testing • Backups/change control • Field-level encryption
Access Control • Authentication • identity confirmation • Authorization • permission often role-based • Accountability • logging / audit
Defensive design/coding • Vulnerability Classification • design, implementation, operational • relevant: touches input • related: enforce via crypto, logging, config • Code Assessment Strategy • Code comprehension, candidate point analysis, design generalization • Coding standards/best practices
Q&A ?