Secure Network Design: Full Service Bank - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Secure Network Design: Full Service Bank

Description:

Enforce password history. Maximum and minimum password age ... This act was created to address the accounting scandals brought on by Enron and WorldCom? ... – PowerPoint PPT presentation

Number of Views:791
Avg rating:5.0/5.0
Slides: 43
Provided by: antonio101
Category:

less

Transcript and Presenter's Notes

Title: Secure Network Design: Full Service Bank


1
Secure Network Design Full Service Bank
Woo Hyeok Lim and Antonio Quiroz
2
Organizational Overview
  • The banks principal business is attracting funds
    from the investing public and investing the
    funds in mortgage loans secured by residential
    real estate
  • Headquartered in San Antonio, Texas, the bank
    operates in four states Texas, New Mexico,
    Arizona and Nevada
  • The bank has 25 branches and loan centers in four
    states

3
Organizational Overview (Cont.)
  • Due to low interest rates and record home sales
    in Texas and Arizona, the bank has been
    experiencing double digit growth over the past
    five years.
  • It anticipates adding more loan centers and
    branches over the next five years
  • The IT infrastructure - Microsoft and DB2 Main
    Frame

4
Organizational Overview (Cont.)
  • In the future, the bank intends to invest heavily
    to set up a web presence, allow mobile workers to
    access the network and upgrade its servers.
  • Customer are requesting information on checking
    and loan activity over the internet
  • Check 21

5
Regulatory Agencies
  • The bank is governed by the Office of Thrift
    Supervision (OTS) and is subject to OTS
    regulation and examination
  • Deposits are insured by the Federal Deposit
    Insurance Corporation (FDIC) and the bank is
    subject to FDIC regulation

6
Sarbanes-Oxley
  • All publicly held corporations that file
    quarterly and yearly financial statements with
    the Securities and Exchange Commission
  • Sarbanes-Oxley requires the Chief Executive
    Officer and Chief Financial Officer to certify
    that financial reports have been reviewed for
    accuracy and have disclosed any significant
    deficiency in the internal control structure

7
Gramm-Leach-Bliley Act
  • The number one threat faced by financial
    institutions is unauthorized access to customer
    information
  • The goal of Gramm Leach Bliley Act requires
    financial institutions to protect nonpublic
    personal information from unauthorized
    disclosure, misuse, alteration or destruction.
  • Gramm Leach Bliley Act required the Agencies to
    establish standards to ensure the security and
    confidentiality of customer information

8
Gramm-Leach-Bliley Act
  • The Financial Privacy Rule governs the collection
    and disclosure of customers personal financial
    information by financial institutions
  • The Safeguards Rule requires all financial
    institutions to design, implement and maintain
    safeguards to protect customer information

9
Gramm-Leach-Bliley Act
  • Involve the board of directors and senior
    management
  • Assess risk
  • Manage and control risk
  • Oversee service provider arrangements
  • Adjust the program
  • Report to the board

10
Gramm-Leach-Bliley Act
  • Involve the board of directors and senior
    management
  • The Board of Directors, or bank management has
    the authority and accountability to the bank
    operations, are required to approve the written
    information security program.

11
Gramm-Leach-Bliley Act
  • Assess Risk
  • Identify reasonably foreseeable internal and
    external threats
  • Assess the likelihood and potential damage of
    these threats

12
Gramm-Leach-Bliley Act
  • Manage and control risk
  • Access controls on customer information systems
  • Encryption of electronic customer information,
    including while in transit or in storage on
    networks or systems
  • Monitoring systems and procedures to detect
    actual and attempted attacks or intrusions

13
Gramm-Leach-Bliley Act
  • Oversee service provider arrangements
  • It is the bank's responsibility to protect its
    customer's data regardless of who maintains it or
    where it is located.
  • The intent here is that banks cannot shift all
    liability to its service provider

14
Gramm-Leach-Bliley Act
  • Adjust the Program
  • Monitor, evaluate, and adjust the information
    security program in light of any relevant changes
  • Report to the Board
  • On an annual basis, bank management will report
    to its board the status of the information
    security program and the banks compliance with
    the guidelines

15
Current Design
16
Read Attacks
  • External Intrusion via Internet
  • Unauthorized intrusion through analog lines and
    PBX
  • Passive attacks through frame relay connection

17
External Intrusion via Internet
  • External intrusion via the internet is the
    biggest threat.
  • Community Bank maintains critical information
    such as social security numbers, date of birth,
    credit card information and checking account
    information
  • Policy Internet DMZ Equipment Policy

18
Analog Lines and PBX
  • Represents a potential backdoor for intruders
  • Analog lines misuse can occur when an outside
    attacker connects to a computer that has a modem
  • Policy Request for Analog Lines and External
    Connections

19
Passive Attacks Through Frame Relay
  • The banks branches and loan centers communicate
    to headquarters using frame relay.
  • Confidential information is transmitted between
    the branches and headquarters, there exist the
    potential for an attacker to intercept the
    information and capture packets off the wire.
  • Third Party Connection Agreement and Encryption
    Policy

20
Composite Attacks
  • Worms, Viruses and Trojans
  • The second most serious threat to Community Bank
    is worms, viruses and Trojans
  • Worms typically attack the organization
    externally but employees (and other insiders)
    introduce viruses and Trojans to the organization
  • Internet and email usage policy and guidelines
    b) Hardening and patching policy c) Virus
    Protection and Software Use policy

21
Identity Spoofing
  • Policy Password Security Policy
  • Enforce password history
  • Maximum and minimum password age
  • Minimum password length and complexity
    requirements
  • Account lockout policies

22
Flooding
  • Denial of Service and DDOS
  • Email
  • SYN Flood
  • The company must establish an agreement with the
    service provider to mitigate flood attacks

23
Other Policies
  • Incident Response Plan
  • Patching Policy for Internal and External
    Networks
  • Disaster Recovery Plan
  • Portable Computer Security Policy

24
Proposed Design
  • Establish a formal DMZ
  • Separate servers
  • Classify the network

25
Proposed Design
DMZ
26
Proposed Design - NIDS
  • Signiture-Based NIDS
  • A programmed match of known attack patterns
  • Anomaly-Based NIDS
  • CPU utilization
  • File usage
  • User logins
  • Other activities

27
Proposed Design - Firewalls
  • Telecom Firewall
  • Detect
  • Log
  • Alarm
  • Block

28
Proposed Design - VPN
  • Concerns for VPN Client
  • Always-On nature of broadband Internet
    connections
  • Installation of personal firewalls
  • Antivirus software
  • The remote PC itself

29
Proposed Design - Servers
  • Separate servers
  • Public servers
  • Internal servers
  • Separate data
  • Customer Data
  • HR Data
  • Finance Data
  • etc

30
Proposed Design - Multiple Level of Trust
Untrusted
Trusted
Unknown
31
Proposed Design Others
  • Mail Sweeper
  • External email server
  • URL Filter
  • Block the users to access Internet

32
Migration Strategy
  • Hardening the DMZ
  • Configure Network Devices
  • Encrypt all communication over WAN
  • Board of Directors review and approve all
    policies and procedures

33
Migration Strategy - DMZ
  • Stateful Firewall
  • Login Restrict (authenticate)
  • Use SSH
  • Logging
  • Signature-Based NIDS
  • Enable logging
  • Use SSH
  • Disable unneeded services

34
Migration Strategy - DMZ
  • Public Servers
  • Web Server
  • Use port 80 (HTTP)
  • Close ports
  • Email server
  • Use port 110 (POP) and port 25 (SMTP)
  • Close ports
  • The latest anti-virus software

35
Migration Strategy - VPN
  • IPsec
  • Use 3 DES
  • No split tunneling
  • Topology of hub and spoke

36
Migration Strategy - WAN
  • Use 3DES for Frame Relay
  • Comply to GLB

37
Migration Strategy - Report
  • All policy and procedures should be reviewed and
    approved by the Board of Directors
  • Network design should be reviewed and approved by
    the Board of Directors
  • Penetration testing should be scheduled

38
  • Questions?

39
Class Questions
  • What is the goal of the Gramm Leach Bliley Act?

40
Class Questions
  • Answer Question 1
  • Requires financial institutions to protect
    nonpublic personal information from unauthorized
    disclosure, misuse, alteration or destruction.

41
Class Questions
  • This act was created to address the accounting
    scandals brought on by Enron and WorldCom?

42
Class Questions
  • Answer Question 2
  • Sarbanes-Oxley
Write a Comment
User Comments (0)
About PowerShow.com