1 / 22

Building a Security Roadmap

Building a Security Roadmap. Introduction. My Background Company Background. Today’s Discussion. The Business Problem SB 1386 Typical Internet Transaction Security Touch Points & Risks Security Countermeasures SAS 70 Q&A. The Business Problem. Security Breach Identity theft Costs

eaton-henry
Download Presentation

Building a Security Roadmap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building a Security Roadmap Lion, Inc

  2. Introduction • My Background • Company Background Lion, Inc

  3. Today’s Discussion • The Business Problem • SB 1386 • Typical Internet Transaction • Security Touch Points & Risks • Security Countermeasures • SAS 70 • Q&A Lion, Inc

  4. The Business Problem • Security Breach • Identity theft • Costs • Public Relations • High Profile lawsuits Lion, Inc

  5. Typical Internet Transaction • Consumer Website – Loan Application • Assisted Channel – Loan Officer / Broker Loan Registration & Locking • Internet or Intranet • Confidential information • Social Security # • Bank Account #’s • Borrower Name & Address Lion, Inc

  6. Brokers/ Originators Consumers Typical Internet Transaction Product/Pricing/Eligibility Engine Loan App Internet/Intranet Loan Lock Database Credit Repository Lion, Inc

  7. Security Touch Points • Desktop Threats • Internet Threats • DMZ/Firewall Threats • Webserver / Application Server Threats • Database Threats • 3rd Party Service Providers Lion, Inc

  8. Desktop Threats • Password security • Instant Messaging • Non –secure connections • Email security (inbound&outbound) • Wireless connectivity • Virus propogation • Elevated Application Access • Photo Cell Phones Lion, Inc

  9. Desktop Countermeasures • Corporate computing policy's • Virus Protection • End User License Agreements • Patch Management • Network computing rules/ Policy servers • End user education & training • Limit controls/need to know application access Lion, Inc

  10. Internet Threats • Session hijacking • Site Spoofing • Social Engineering Lion, Inc

  11. Internet Countermeasures • HTTPS • Leased Lines • VPN's • IPSec Lion, Inc

  12. DMZ/Firewall Threats • Denial of Service • Port Scanning • Firewall hacking Lion, Inc

  13. DMZ/Firewall Countermeasures • Intrusion detection • Cisco IDS, scans for known signatures (port scanning, DOS, authentication attempts) • Truesecure Penetration Testing • Looking for known vulnerabilities • Firewall • Web servers • FTP servers • Site Monitoring – • System Health, DOS • External – Mercury Interactive • Internal – Sitescope Monitoring Lion, Inc

  14. Webserver/Appserver Threats • Buffer overruns • Username/Password Hacking • Known vulnerabilities • SQL injection Lion, Inc

  15. Webserver/Appserver Countermeasures • HTTPS • 128 bit Verisign SSL Server Certificates (40 bit is less expensive, also less secure) • Secure FTP services (‘Secure FTP’ product name) • Identify Management – storing authentication credentials in secure format (SiteMinder, ActiveDirectory, SiteServer, Commerce Server, etc.) • Single Signon • Application Intrusion Detection • Account lockout Policy (ie, 6x, lockout for 3min) • IP Blacklisting • Web log monitoring • Application field level edits Lion, Inc

  16. Database Server Threats • Buffer overruns • Username/Password Hacking • Known vulnerabilities Lion, Inc

  17. Database Server Countermeasures • Store sensitive information encrypted • Read Only accounts • Remove sensitive information from logs Lion, Inc

  18. 3rd Party Service Provider Threats • Repudiation – being able to prove who requested transaction Lion, Inc

  19. 3rd Party Service Provider Countermeasures • Client side certificates • Private Leased Lines • VPN/IPSEC Lion, Inc

  20. SAS 70 Certification • SAS 70 OverviewStatement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes.  In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. • SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format.  A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.  A formal report including the auditor's opinion ("Service Auditor's Report") is issued to the service organization at the conclusion of a SAS 70 examination Lion, Inc

  21. SAS 70 Certification • Type I Audit – Independent service auditor's report (i.e. opinion) & description of controls. • Type II Audit – Includes a description of the service auditor's tests of operating effectiveness and the results of those tests Lion, Inc

  22. Q&A Lion, Inc

More Related