© Sean Clark Director of Information Security Practice Brintech, Inc. 124 Canal Street New Smyrna Beach, FL 32168 800.929.2746 [email protected] .

©

Sean ClarkDirector of Information Security Practice

Brintech, Inc.124 Canal Street

New Smyrna Beach, FL 32168800.929.2746

[email protected]

©

Managing Information Security, an Increasing Risk

December 11th, 2006

2

©

Session Overview

Understand “Today’s” Security Strategy The cost of security control Understand , Find, and mitigate the

risks!! New Threats for today’s Delivery

channels

3

©

The Security Strategy

4

©Image from: http://global.mci.com/us/enterprise/govt/igs/security/strategy_sm.gif

5

©

The Security Strategy

First we need Corporate Governance! Then we must understand how much is

too much to spend! Then we must deploy technology with

the most ROI and maintain metrics Continue technology upgrades as

threats evolve; remove dead wood

6

©

CEO’s Historic Focus

Increasing Shareholder Value Improving Earnings Customer Satisfaction Growth of organization

7

©

Impacts to Focus

Brokerages, Insurance companies and other non-traditional banking institutions competing for business

Internet innovation and online competition

Security Threats impacting availability, confidentiality and integrity of information.

8

©

Typical Perspective

Taking the ‘insurance stance’: Beware false sense of security

Perception that Security investments can not be measured in terms of ROI.

If there is an incident….we can manage the risk internally to protect the reputation without increased risk.

9

©

Paradigm Shift in Perspective

Acquiring and retaining customers depends on how well you service them and maintain their confidence or trust.

There are metrics to identify the threshold of spending but ROI is still difficult to measure

Breach of customer confidence impacts earnings, and ultimately shareholder value.

Regulations require disclosure of data loss.

10

©

Financial Impacts

2003 Study stated average drop in share price for 22 publicly held companies reporting a security breach was 5.6% in the first 3 days, eroding a total of $15-$20 million in shareholder value.

11

©

12

©

13

©

Old Paradigm of Security

5k per drawer * 200 tellers: $1,000,000 $6/hr rate 15 minute balance per day= 15 min 1/4hr * $6 /hr = $1.50 pr/day * 200

Tellers=$300 a day $300 * 280 (working days) = $84,000

$84k spent to count/protect $1,000,000

14

©

New Paradigm

Customer data is more valuable Financial transactions are electronic Data resides on multiple systems and

on the wire. It’s not just in the drawer and vault! It’s

EVERYWHERE

15

©

16

©

17

©

18

©

Are we spending enough?

$129k for a Billion Dollar Bank yearly:

$354 per day

19

©

What scenarios apply?

Virus Infection Spam prevention Phishing or Pharming Network Breach/Web Site defacement Information Theft MCIF theft Etc…

20

©

The Danger of the Unknown Unknown

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, thereare things that we know we don't know. But there are alsounknown unknowns. There are things we don't know we don't know.” - Secretary of Defense Donald H. Rumsfeld

21

©

22

©

Application InSecurities

Gartner states: 80% of web applications put into production through 2007 will fail due to poor quality issues.

Most deployments of applications within the organization are not reviewed for their security prior to deployment.

Responsibility turns to the IT staff of the organization once the technology is deployed.

23

©

Paradigm Shift in Perspective

A well-managed information security program can provide a competitive advantage by positively affecting customer acquisition and retention, the cornerstone to any business' ability to generate revenue

Institutions that conduct business online must view information security as a business enabler and not a cost of doing business.

More and more systems use web based applications; increasing risk to the institution.

24

©

Paradigm Shift in Perspective

Evolving and emerging threats from increased delivery channel expansion requires attention in an ‘inside-out’ approach.

Protect core applications first, then use layered security outward to the host and network.

25

©

If you don’t?

Insider threat, data theft… Exposure of most valuable assets?

(customer information) Data corruption Reputational Risks Bank Fines, closure….loss of

shareholder value

26

©

Paradigm Shift : The Solution

Combine Governance and technology!– Top Down acceptance and enforcement– Exercise ‘worse case scenarios and

responses’

Most companies respond with appropriate

governance 70% of time after an incident.

27

©

Regulatory Scrutiny Increases

Gramm-Leach-Bliley Act– (http://www.ftc.gov/privacy/glbact/)

Sarbanes-Oxley Act– (http://www.sarbanes-oxley.com/)

NASD Sec 17/A3-4– (http://www.sec.gov/)

USA Patriot Act– (http://www.epic.org/privacy/terrorism/hr3162.html)

BSA (Bank Secrecy Act)– (http://www.ffiec.gov)

28

©

Verbiage from Proposed Bill …. we would require companies that have databases with sensitive

personal information on Americans to establish and implement data privacy and security programs. In the digital age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain which contain Americans' private data. They also have a responsibility in the next link in the security chain, to make sure that contractors hired to process data are adequately vetted to keep the personal information in these databases secure. This is increasingly important as Americans' personal information more and more is outsourced for processing overseas and beyond U.S. laws.

http://www.govtrack.us/congress/record.xpd?id=109-s20050929-56&bill=s109-1789#sMonoElementm1m0m0m

29

©

Verbiage from Proposed Bill …. our bill requires notice when sensitive personal information has

been compromised. The American people have a right to know when they are at risk because of corporate failures to protect their data, or when a criminal has infiltrated data systems. The notice rules in our bill were carefully crafted to ensure that the trigger for notice is tied to "significant risk of harm" with appropriate checks-and-balances, in order to make sure that companies do not underreport. We also recognize important fraud prevention techniques that already exist. But our priority has been to make sure that victims have critical information as a roadmap that offers the assistance necessary to protect themselves, their families and their financial well-being.

http://www.govtrack.us/congress/record.xpd?id=109-s20050929-56&bill=s109-1789#sMonoElementm1m0m0m

30

©

Focus is changing

Regulators will be forced to respond with more guidance (at least) if these bills are passed, requiring even more focus on security controls within your financial institutions!!

31

©

What to do

32

©

Delivery Channels

Methods to offer banking “anywhere, anytime” to customers that collectively provide the customer with a single, consistent view of the institution

33

©

Traditional Delivery Channels

34

©

Delivery Channels Today

Internet

Email

$

Financial Institution

PBX

FedLine

Check Clearingand

Courier Mail

Internet User

Core System

Check Images

Loan Database

Financial TrustDatabse

Human Resources

Modem

SD

Cisco 1720

BRIS/T

CONSOLE

AUXWIC 0 OK

OK

B2

B1

WIC 1 OK

DSUCPU

LNK100FDX

S3

LOOP

LP

PrivateWANto Fed

Modem

ACH

Online Banking prBill Pay

PayPal/FirePay

Internet ACH update

Check 21

Endpoint Exchange

$

Bank

Touch Tone Teller& Direct Call

ATM System

Walk-In/ Drive InHolding Company

FAX

InstantMessaging/Chat Rooms

35

©

How is it different ????

Interactive? Transaction based? Encrypted? Network based vs. traditional methods? Decentralization of Customer

Information.

36

©

The Great Ideas!

37

©

Leveraging Technology

Loan Officers in the field (laptops) Remote Deposits (IRD??) Remote LockBox access Remote Check Recon. Check 21 (Image Exchange) Two Factor Authentication

38

©

Managing Information Security Risk

InfoSec Governance Understand the risks Assess current security levels Implement risk mitigating changes Include mobile devices!!! Enforce through policies written/elec. Train employees and staff

39

©

Understand the Risks

Customer information privacy! Access to bank network (passwords) Bank liability (reputation, etc) Network virus infection (crash network) Hacker intrusion (full/partial breach)

40

©

Assess Current Security Levels

Have security assessment performed Understand the types of testing

– Vulnerability vs. penetration testing– Internal vs. external– Intrusion Testing– Application review

Ensure assessment covers all network points of risk relating to financial institutions.

Include Mobile Devices

41

©

42

©

Include Mobile Devices

Mobile Devices are an extension of the internal bank network that creates potential risks to bank systems and the customer data protected by them.

43

©

FDIC Defines Testing/Prevention

“Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution’s information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems.”

- FDIC FIL-68-99

44

©

45

©

Hype Cycle

46

©

Security 101: The Basics

C.I.A.: – Confidentiality– Integrity– Availability

Awareness is key:– Can’t respond without knowledge– Can’t prevent without foresight– Can’t research/investigate without evidence– Can’t prosecute without proof

47

©

Delivery Channel

ATM / Credit / Debit Cards: Cards used for purchase, account query, or other transactions from multiple endpoints– IP-enabled ATMs (Diebold, NCR, etc)– Cash dispensers– Point-of-purchase devices– Online purchases

48

©

Card Risks (Medium to High)

Stolen card number or Pilfered PIN (phishing)

Network breach of ATM system (IP-enabled)

Physical breach of ATM Card reader / writer (USB-enabled)

49

©

ATM/Debit/Credit Card

50

©

Card Reader/Printer/Encoder

51

©

Fixes to Card Risks

Phishing: Educate consumers!! Inspect ATM machine on a regular

basis Isolate ATM to separate network from

institutions network Educate Customers Consider new RFID technology Risks Understand future trends

52

©

ATM Theft

If they steal the box, they get all the internal configuration information.

53

©

Weak ATM systems

54

©

RF-ID ATM Cards

55

©

eWallet and JavaCards

56

©

Delivery Channel

Internet Direct: Direct communications which occur with direct contact to the bank’s network– External attacks– Website (hosted internal)– Website (hosted external)– Internet banking (hosted internal)– Back-end imaging– Lockbox– Cash management offerings– Internet banking (hosted external)– Back-end imaging

57

©

Direct Internet Risks(Extremely High) Internet breach Spoofing of data or e-mail Interception of log-on credentials Information theft The list goes on and on!

58

©

Do you have one of these?

Web Email System? In-house Ibanking? In-house LockBox In-house Check Recon system? In-house Net-Deposit system?

59

©

If so, what you should do

Ensure it is in a properly filtered DMZ Ensure the communications are

encrypted, especially logon credentials. Ensure HIDs agents are installed and

monitored for intrusion Ensure the systems are tested Ensure 2 Factor authentication where

possible.

60

©

Do you have these?

Firewalls? Network Based IDS/IPS? Host Based IDS/IPS? Security Event Log Management? Monitored Security?

61

©

How do they operate?

Firewall: Brick Building Intrusion Detection Systems: car alarm Intrusion Prevention System: trap door Security Event Logging: alarm printer Monitoring: Security Alarm Company

62

©

Fixes to Direct Internet Risks

Have a proper Information Security Program in place to cover– Network Security Assessment– Identification of risks– Implementation of mitigating actions to

prevent risk exploitation– Enforcement of policies– Re-evaluation on at least an annual basis

63

©

Delivery Channel

Internet InDirect: Indirect Internet activities which could usurp security and allow a transaction to occur illegally– Remote user access– Phishing– Social engineering– Mobile device risks

64

©

Indirect Internet Risks (High)

Remote bank employee accessing bank resources from unsecured networks are hijacked– Keystroke loggers– Trojan horses, worms

Educate customers about phishing Employees socially engineered to allow access

(phone or in-person) Mobile device risks (laptops, PDAs, thumb drives)

containing non-public customer data Rogue wireless network access to bank network Instant messaging poses risk

65

©

Fixes to Indirect Internet Risks

Restrict use of VPNs and enforce security measures to only allow bank managed devices to attach

Filter traffic allowed into the internal network from VPN and remote entities.

Implement two-factor authentication to protect remote log-on credentials

Implement firewalls, virus protection, and patch management

66

©

Train employees on social engineering tactics regularly

Limit and control use of mobile devices Check for rogue wireless networks

– Wireless Scanner, etc. Control and monitor Internet traffic

content– WebSense, SurfControl, etc.

Fixes to Indirect Internet Risks

67

©

WiFi Rogue AP

68

©

Disable USB Thumb Drives

Windows:– Change permissions of or delete the

USBSTOR.sys file on each system through GPO or manually.

– This will not allow the plug and play system to install the thumbdrive.

– This does not prevent the driver from being used if already installed.

69

©

Disable Blue-Tooth/ IR –More!

Disable in system BIOS Do not order systems (laptops) with the

capabilities Remove and control the driver

installation same way as USBstor.sys http://support.microsoft.com/

default.aspx?scid=kb;en-us;555324

70

©

More controls CDR/W-DVR/W

Disable or don’t install Write-Once media

– CDR/W– DVR/W

71

©

Open Discussion