Financial Industry Security - PowerPoint PPT Presentation

About This Presentation
Title:

Financial Industry Security

Description:

Financial Industry Security by Ron Widitz, MSIT 07 Security is only as strong as the weakest link. Paranoid or prudent? Why bother? Guard firm s reputation Avoid ... – PowerPoint PPT presentation

Number of Views:175
Avg rating:3.0/5.0
Slides: 25
Provided by: RonWi4
Category:

less

Transcript and Presenter's Notes

Title: Financial Industry Security


1
Financial Industry Security
  • by Ron Widitz, MSIT 07

2
Security is only as strong as the weakest link.
  • Paranoid or prudent?

3
Why bother?
  • Guard firms reputation
  • Avoid litigation
  • Retain competitive standing
  • Maintain trust
  • Customers
  • Merchants
  • Business partners/vendors

4
Regulation
  • FDIC
  • GLBA
  • PCI DSS
  • State/Federal/Intl
  • fraud detection
  • anti-money laundering
  • SEC
  • Sarbanes-Oxley
  • HIPAA
  • audit

5
PCI DSS
  • Build and Maintain a Secure Network
  • Requirement 1 Install and maintain a firewall
    configuration to protect data
  • Requirement 2 Do not use vendor-supplied
    defaults for system passwords and other security
    parameters
  • Protect Cardholder Data
  • Requirement 3 Protect stored cardholder data
  • Requirement 4 Encrypt transmission of data
    across open, public networks
  • Maintain a Vulnerability Management Program
  • Requirement 5 Use and regularly update
    anti-virus software
  • Requirement 6 Develop and maintain secure
    systems and applications
  • Implement Strong Access Control Measures
  • Requirement 7 Restrict access to cardholder data
    by business need-to-know
  • Requirement 8 Assign a unique ID to each person
    with computer access
  • Requirement 9 Restrict physical access to
    cardholder data
  • Regularly Monitor and Test Networks
  • Requirement 10 Track and monitor all access to
    network resources and data
  • Requirement 11 Regularly test security systems
    and processes
  • Maintain an Information Security Policy
  • Requirement 12 Maintain a policy that addresses
    information security

6
Hannaford breach
  • 270 supermarkets in 5 eastern States
  • 4.2M accounts exposed 12/07-3/08
  • Two class action law suits filed
  • Opinion
  • Inside job
  • Security controls not in place
  • Not PCI compliant at time of breach
  • PCI QSA audit in question

7
Managing Risk
  • Balance whats practical with
  • Basic security components
  • Confidentiality
  • Authenticity
  • Integrity
  • Availability

8
Defense in Depth
  • Physical
  • Network
  • Hardware/Devices
  • System/Application Software
  • Controls/policy/SOPs

9
Physical
  • Building/premises
  • Barricades
  • Surveillance
  • Layout access
  • Credit/debit card concerns
  • Skimming
  • Identity theft

10
Physical barricade?
11
Physical barricades
  • Guard stations
  • Bollards

12
Guard station?
13
Bollard effectiveness
14
Physical access
  • Card-key access
  • plus 2-factor or biometrics
  • X-ray machines for all packages
  • Winding roads vs. straight
  • Hide data centers
  • no external signage
  • floor plans not registered with village

15
Physical monitoring
  • Incident response teams
  • Live monitored CCTV
  • Constant surveillance

16
Physical plastic
  • Magnetic stripe or RFID or smartcard
  • Hologram
  • Credit
  • Signature, account, CID, expire date
  • Debit
  • Account and pin or signature
  • Online secure/generated account/CID

17
CID not-present verification
18
Information Security
  • is protection against
  • Unauthorized access to or modification of
    information (storage, processing, transit)
  • Denial of service to authorized users
  • Provision of service to the unauthorized
  • includes measures necessary to detect, document
    and counter such threats

19
Network
  • Firewall
  • IDS
  • Proxy server
  • Encryption
  • DR / BCP
  • Threat modeling
  • Trust boundaries / zones

20
Threat Modeling
  • Enumerate risks
  • Assets, entry points, data flow
  • Data Flow Diagram and decomposition

21
3-Zone Security Architecture
22
Social Engineering
  • Persuasion via
  • trust of others
  • desire to help
  • fear of getting in trouble
  • Phishing
  • Dumpster diving

23
Software
  • Access control
  • Defensive design/coding
  • Live/penetration testing
  • Backups/change control
  • Field-level encryption

24
Access Control
  • Authentication
  • identity confirmation
  • Authorization
  • permission often role-based
  • Accountability
  • logging / audit

25
Defensive design/coding
  • Vulnerability Classification
  • design, implementation, operational
  • relevant touches input
  • related enforce via crypto, logging, config
  • Code Assessment Strategy
  • Code comprehension, candidate point analysis,
    design generalization
  • Coding standards/best practices

26
QA
?
27
cross-site scripting
  • Attacker goal their code into browser
  • XSS forces a website to execute malicious code in
    browser
  • Browser user is the intended victim
  • Why? Account hijacking, keystroke recording,
    intranet hacking, theft

28
XSS concept
29
XSS types
  • Immediate reflection phishing
  • DOM-based 95 JavaScript methods
  • Redirection header, meta, dynamic
  • Multimedia Flash, QT, PDF scripts
  • Cross-Site Request Forgery (CSRF)
  • others
  • (e.g. non-persistent search box)

30
Risks
  • XSS abuses render engines or plug-ins
  • Steal browser cookies
  • Steal session info for replay attack
  • Malware or bot installation
  • Redirect or phishing attempt

31
More on Web Attacks
  • Cross Site Scripting
  • RSS/Atom Injection (of CSS type)
  • SQL Injection
  • XPATH Injection
  • LDAP Injection
  • SSI Injection

32
user agent injection
  • Stored
  • HTTP Response Splitting
  • SQL Injection
  • XML Injection
  • JSP Code Injection
  • LDAP Injection

33
Approaches
  • Application firewall
  • HTML encoding on input (server-side)
  • Input validation/filtering
  • Coding techniques with output
  • Session key enforced to prevent CSRF
Write a Comment
User Comments (0)
About PowerShow.com