Financial Industry SecuritySecurity is only as strong as the weakest link.Why bother?RegulationManaging RiskDefense in DepthPhysicalPhysical barricade?Physical barricadesGuard station?Bollard effectivenessPhysical accessPhysical monitoringPhysical plasticCID: not-present verificationInformation SecurityNetworkThreat Modeling3-Zone Security ArchitectureSocial EngineeringSoftwareAccess ControlDefensive design/codingQ&AFinancial Industry Financial Industry SecuritySecurityby Ron Widitz, MSIT ‘07by Ron Widitz, MSIT ‘07Security is only as strong as Security is only as strong as the weakest link.the weakest link.Paranoid or prudent?Paranoid or prudent?Why bother?Why bother?Guard firm’s reputationGuard firm’s reputationAvoid litigationAvoid litigationRetain competitive standingRetain competitive standingMaintain trustMaintain trust–CustomersCustomers–MerchantsMerchants–Business partners/vendorsBusiness partners/vendorsRegulationRegulationFDICFDICGLBAGLBAPCI DSSPCI DSSState/Federal/IState/Federal/Intlntl–fraud detectionfraud detection–anti-money anti-money launderinglaunderingSECSECSarbanes-Sarbanes-OxleyOxleyHIPAAHIPAAauditaudit……Managing RiskManaging RiskBalance what’s practical with:Balance what’s practical with:Basic security componentsBasic security components–ConfidentialityConfidentiality–AuthenticityAuthenticity–IntegrityIntegrity–AvailabilityAvailabilityDefense in DepthDefense in DepthPhysicalPhysicalNetworkNetworkHardware/DevicesHardware/DevicesSystem/Application SoftwareSystem/Application SoftwareControls/policy/SOPsControls/policy/SOPsPhysicalPhysicalBuilding/premisesBuilding/premises–BarricadesBarricades–SurveillanceSurveillance–Layout & accessLayout & accessCredit/debit card Credit/debit card concernsconcerns–SkimmingSkimming–Identity theftIdentity theftPhysical barricade?Physical barricade?Physical barricadesPhysical barricadesGuard Guard stationsstationsBollardsBollardsGuard station?Guard station?Bollard effectivenessBollard effectivenessPhysical accessPhysical accessCard-key accessCard-key access–plus 2-factor or biometricsplus 2-factor or biometricsX-ray machines for all packagesX-ray machines for all packagesWinding roads vs. straightWinding roads vs. straightHide data centersHide data centers–no external signageno external signage–floor plans not registered with villagefloor plans not registered with villagePhysical Physical monitoringmonitoringIncident response teamsIncident response teamsLive monitored CCTVLive monitored CCTVConstant surveillanceConstant surveillancePhysical plasticPhysical plasticMagnetic stripe or RFID or smartcardMagnetic stripe or RFID or smartcardHologramHologramCreditCredit–Signature, account, CID, expire dateSignature, account, CID, expire dateDebitDebit–Account and pin# or signatureAccount and pin# or signatureOnline secure/generated account/CIDOnline secure/generated account/CIDCID: not-present CID: not-present verificationverificationInformation SecurityInformation Securityis protection againstis protection against–Unauthorized access to or modification of Unauthorized access to or modification of information (storage, processing, transit)information (storage, processing, transit)–Denial of service to authorized usersDenial of service to authorized users–Provision of service to the unauthorizedProvision of service to the unauthorizedincludes measures necessary to includes measures necessary to detect, document and counter such detect, document and counter such threatsthreatsNetworkNetworkFirewallFirewallIDSIDSProxy serverProxy serverEncryptionEncryptionDR / BCPDR / BCPThreat modelingThreat modelingTrust boundaries / zonesTrust boundaries / zonesThreat ModelingThreat ModelingEnumerate risks:Enumerate risks:–Assets, entry points, data flowAssets, entry points, data flowData Flow Diagram and decompositionData Flow Diagram and decomposition3-Zone Security 3-Zone Security ArchitectureArchitectureSocial EngineeringSocial EngineeringPersuasion viaPersuasion via–trust of otherstrust of others–desire to helpdesire to help–fear of getting in troublefear of getting in troublePhishingPhishingDumpster divingDumpster divingSoftwareSoftwareAccess controlAccess controlDefensive design/codingDefensive design/codingLive/penetration testingLive/penetration testingBackups/change controlBackups/change controlField-level encryptionField-level encryptionAccess ControlAccess ControlAuthenticationAuthentication–identity confirmationidentity confirmationAuthorizationAuthorization–permission often role-basedpermission often role-basedAccountabilityAccountability–logging / auditlogging / auditDefensive Defensive design/codingdesign/codingVulnerability ClassificationVulnerability Classification–design, implementation, operationaldesign, implementation, operationalrelevant: touches inputrelevant: touches inputrelated: enforce via crypto, logging, configrelated: enforce via crypto, logging, configCode Assessment StrategyCode Assessment Strategy–Code comprehension, candidate point Code comprehension, candidate point analysis, design generalizationanalysis, design generalizationCoding standards/best practicesCoding standards/best
View Full Document