Financial Industry Security

1
Financial Industry Security

• by Ron Widitz, MSIT 07

2
Security is only as strong as the weakest link.

• Paranoid or prudent?

3
Why bother?

• Guard firms reputation
• Avoid litigation
• Retain competitive standing
• Maintain trust
• Customers
• Merchants
• Business partners/vendors

4
Regulation

• FDIC
• GLBA
• PCI DSS
• State/Federal/Intl
• fraud detection
• anti-money laundering

• SEC
• Sarbanes-Oxley
• HIPAA
• audit

5
PCI DSS

• Build and Maintain a Secure Network
• Requirement 1 Install and maintain a firewall
  configuration to protect data
• Requirement 2 Do not use vendor-supplied
  defaults for system passwords and other security
  parameters
• Protect Cardholder Data
• Requirement 3 Protect stored cardholder data
• Requirement 4 Encrypt transmission of data
  across open, public networks
• Maintain a Vulnerability Management Program
• Requirement 5 Use and regularly update
  anti-virus software
• Requirement 6 Develop and maintain secure
  systems and applications
• Implement Strong Access Control Measures
• Requirement 7 Restrict access to cardholder data
  by business need-to-know
• Requirement 8 Assign a unique ID to each person
  with computer access
• Requirement 9 Restrict physical access to
  cardholder data
• Regularly Monitor and Test Networks
• Requirement 10 Track and monitor all access to
  network resources and data
• Requirement 11 Regularly test security systems
  and processes
• Maintain an Information Security Policy
• Requirement 12 Maintain a policy that addresses
  information security

6
Hannaford breach

• 270 supermarkets in 5 eastern States
• 4.2M accounts exposed 12/07-3/08
• Two class action law suits filed
• Opinion
• Inside job
• Security controls not in place
• Not PCI compliant at time of breach
• PCI QSA audit in question

7
Managing Risk

• Balance whats practical with
• Basic security components
• Confidentiality
• Authenticity
• Integrity
• Availability

8
Defense in Depth

• Physical
• Network
• Hardware/Devices
• System/Application Software
• Controls/policy/SOPs

9
Physical

• Building/premises
• Barricades
• Surveillance
• Layout access
• Credit/debit card concerns
• Skimming
• Identity theft

10
Physical barricade?
11
Physical barricades

• Guard stations
• Bollards

12
Guard station?
13
Bollard effectiveness
14
Physical access

• Card-key access
• plus 2-factor or biometrics
• X-ray machines for all packages
• Winding roads vs. straight
• Hide data centers
• no external signage
• floor plans not registered with village

15
Physical monitoring

• Incident response teams
• Live monitored CCTV
• Constant surveillance

16
Physical plastic

• Magnetic stripe or RFID or smartcard
• Hologram
• Credit
• Signature, account, CID, expire date
• Debit
• Account and pin or signature
• Online secure/generated account/CID

17
CID not-present verification
18
Information Security

• is protection against
• Unauthorized access to or modification of
  information (storage, processing, transit)
• Denial of service to authorized users
• Provision of service to the unauthorized
• includes measures necessary to detect, document
  and counter such threats

19
Network

• Firewall
• IDS
• Proxy server
• Encryption
• DR / BCP
• Threat modeling
• Trust boundaries / zones

20
Threat Modeling

• Enumerate risks
• Assets, entry points, data flow
• Data Flow Diagram and decomposition

21
3-Zone Security Architecture
22
Social Engineering

• Persuasion via
• trust of others
• desire to help
• fear of getting in trouble
• Phishing
• Dumpster diving

23
Software

• Access control
• Defensive design/coding
• Live/penetration testing
• Backups/change control
• Field-level encryption

24
Access Control

• Authentication
• identity confirmation
• Authorization
• permission often role-based
• Accountability
• logging / audit

25
Defensive design/coding

• Vulnerability Classification
• design, implementation, operational
• relevant touches input
• related enforce via crypto, logging, config
• Code Assessment Strategy
• Code comprehension, candidate point analysis,
  design generalization
• Coding standards/best practices

26
QA
?
27
cross-site scripting

• Attacker goal their code into browser
• XSS forces a website to execute malicious code in
  browser
• Browser user is the intended victim
• Why? Account hijacking, keystroke recording,
  intranet hacking, theft

28
XSS concept
29
XSS types

• Immediate reflection phishing
• DOM-based 95 JavaScript methods
• Redirection header, meta, dynamic
• Multimedia Flash, QT, PDF scripts
• Cross-Site Request Forgery (CSRF)
• others
• (e.g. non-persistent search box)

30
Risks

• XSS abuses render engines or plug-ins
• Steal browser cookies
• Steal session info for replay attack
• Malware or bot installation
• Redirect or phishing attempt

31
More on Web Attacks

• Cross Site Scripting
• RSS/Atom Injection (of CSS type)
• SQL Injection
• XPATH Injection
• LDAP Injection
• SSI Injection

32
user agent injection

• Stored
• HTTP Response Splitting
• SQL Injection
• XML Injection
• JSP Code Injection
• LDAP Injection

33
Approaches

• Application firewall
• HTML encoding on input (server-side)
• Input validation/filtering
• Coding techniques with output
• Session key enforced to prevent CSRF