1 / 24

Financial Industry Security

Financial Industry Security. by Ron Widitz, MSIT ‘07. Security is only as strong as the weakest link. Paranoid or prudent?. Why bother?. Guard firm’s reputation Avoid litigation Retain competitive standing Maintain trust Customers Merchants Business partners/vendors. FDIC GLBA

ccastillo
Download Presentation

Financial Industry Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Financial Industry Security by Ron Widitz, MSIT ‘07

  2. Security is only as strong as the weakest link. Paranoid or prudent?

  3. Why bother? • Guard firm’s reputation • Avoid litigation • Retain competitive standing • Maintain trust • Customers • Merchants • Business partners/vendors

  4. FDIC GLBA PCI DSS State/Federal/Intl fraud detection anti-money laundering SEC Sarbanes-Oxley HIPAA audit … Regulation

  5. Managing Risk • Balance what’s practical with: • Basic security components • Confidentiality • Authenticity • Integrity • Availability

  6. Defense in Depth • Physical • Network • Hardware/Devices • System/Application Software • Controls/policy/SOPs

  7. Physical • Building/premises • Barricades • Surveillance • Layout & access • Credit/debit card concerns • Skimming • Identity theft

  8. Physical barricade?

  9. Physical barricades • Guard stations • Bollards

  10. Guard station?

  11. Bollard effectiveness

  12. Physical access • Card-key access • plus 2-factor or biometrics • X-ray machines for all packages • Winding roads vs. straight • Hide data centers • no external signage • floor plans not registered with village

  13. Physical monitoring • Incident response teams • Live monitored CCTV • Constant surveillance

  14. Physical plastic • Magnetic stripe or RFID or smartcard • Hologram • Credit • Signature, account, CID, expire date • Debit • Account and pin# or signature • Online secure/generated account/CID

  15. CID: not-present verification

  16. Information Security • is protection against • Unauthorized access to or modification of information (storage, processing, transit) • Denial of service to authorized users • Provision of service to the unauthorized • includes measures necessary to detect, document and counter such threats

  17. Network • Firewall • IDS • Proxy server • Encryption • DR / BCP • Threat modeling • Trust boundaries / zones

  18. Threat Modeling • Enumerate risks: • Assets, entry points, data flow • Data Flow Diagram and decomposition

  19. 3-Zone Security Architecture

  20. Social Engineering • Persuasion via • trust of others • desire to help • fear of getting in trouble • Phishing • Dumpster diving

  21. Software • Access control • Defensive design/coding • Live/penetration testing • Backups/change control • Field-level encryption

  22. Access Control • Authentication • identity confirmation • Authorization • permission often role-based • Accountability • logging / audit

  23. Defensive design/coding • Vulnerability Classification • design, implementation, operational • relevant: touches input • related: enforce via crypto, logging, config • Code Assessment Strategy • Code comprehension, candidate point analysis, design generalization • Coding standards/best practices

  24. Q&A ?

More Related