Banking Sector Security Final 09182009

An AAXXISS.COM White Paper

http://www.aaxxiss.com

Banking and Financial Sectors - Security Issues

By George B Tselentis, CISM Sr. Security Analyst

September 18, 2009

© Copyright – AAXXISS.COM – George B Tselentis, CISM

Contents Introduction The Issues AAXXISS.COM Testing Solution Implementation Summary

Introduction The Threat is Real …The report issued by The NIC (The National Intelligence Council (NIC) is the Intelligence Community's (IC's) center for midterm and long-term strategic thinking). “Cyber attacks will provide both state and nonstate adversaries new options for action against the United States beyond mere words but short of physical attacks ---strategic options that include the selection of either nonlethal or lethal damage and the prospect of anonymity”. Reference The GLOBAL THREATS 2015 Project” NIC, Page 34.

The Threat is growing … “Our wired society puts all of us US business, in particular, because they must maintain an open exchange with customers at higher risk from enemies. In general, IT s spread and the growth of worldwide digital networks mean that we are challenged to think more broadly about national security”. Reference Statement for the Record to the Joint Economic Committee Lawrence K. Gershwin National Intelligence Officer for Science and Technology 21 June 2001

Issues The security issues that we face today in the Internet space are increasing and the threats are becoming ever changing in a 360 degree security threat.

AAXXISS.COM Solutions We offer a wide range of real world testing that although do not guarantee the outcome, we can guarantee that the testing will alert senior management to possible gaps and or findings, as part of our deliverable.

Scenario / Outcome Real World Security Testing Implementation If you don’t test it you cannot measure it, and if you cannot measure it you will never know if it is effective. “Real World Security Tests for real world threats”.

Summary The benefit to a financial institution includes, real world solutions issued in a final report that contain inexpensive recommendations to justify a change in procedures, staff, software, training, and other enhancements.

September 18, 2009

© Copyright – AAXXISS.COM – George B Tselentis, CISM

Challenge - AAXXISS.COM and Scenario / Outcome It is critical for financial institutions to test their IT security programs in a real world setting. The goal of this assessment was to acquire “physical access”, then work with the IT department to correct or mitigate the vulnerability. The attack began with a reconnaissance of the Banks primary facility which opened a whole world of possibilities including gaining physical access to the firewalls. Access to the Banks primary facilities wiring closet was monitored for one day, it was during the reconnaissance that it was ascertained that access doors to a maintenance area were unlocked in the morning and never locked or secured during the day. As expected the well dressed gentleman loitering in the lobby for the day gained access to the closet, took photos, and placed an envelope with his business card and did whatever else was required to gain control of the financial systems, without really threatening production or business systems.

September 18, 2009

The following assets were breached: 1. The phone closet (common closet in a public area, unlocked) and DEMARC (Demarcation of the Telephone Lines) 2. The Fed wire (Fedwire operates within the context of the Federal Reserve's overall information security architecture) 3. The entire backbone of the network including the firewall. Day 1 – Reconnaissance…eight (8) hours. Day 2 – Gained access to primary facilities wiring and firewall…ten (10) minutes. The total time of the attack including the reconnaissance was 10 hours 5 minutes.

Outcome A final report was issued containing recommendations that were used to justify a change in procedures, staff, software, training, and other enhancements. The entire technology and business operations staff learned how to identify and deal with a possible person, performing a reconnaissance, in an effective and non-threatening manner.

© Copyright – AAXXISS.COM – George B Tselentis, CISM

Challenge - AAXXISS.COM and Scenario / Outcome A boutique banking institution had requested an Office of Comptroller of Cash pre-assessment completed. This was only part of the test phase, which included other security tests. The first phase of the test was run, in which the following assets were breached: 1. The Cash Room 2. All the executive offices including the board room. Day 1 – Reconnaissance, one (1) hour. Day 2 – Gained physical access to primary facility…five (5) minutes. The total time of the attack including the reconnaissance was 1 hour 5 minutes.

Summary The benefit of running a real world security assessment for any financial institution can be measured in the success of those financial institutions that have taken the following steps: 1. Brought in from the outside a professional that performs the real world testing using an approach that a real world intruder would use. 2. Taken the necessary steps to educate the entire organizational workforce to recognize and deal with a person that may be part of a reconnaissance in an effective and non-threatening manner. 3. Used each of the Scenario – Tests to justify a change in policies, procedures, staff, software, training, and other enhancements. 4. Understood that Security has various elements and that all of those elements must be practiced to be effective.

Outcome A final report was issued containing recommendations that were used to justify a change in procedures, staff, software, training, and other enrichments. The entire technology and business operations staff learned how to identify and deal with a possible person, performing a reconnaissance, in an effective and non-threatening manner.

See other white papers that we offer on security topics including:   

  

The threats to Banking, Financial institutions. The threats to senior management. The threats to companies that maintain intellectual material, copyrights, patents and or special processes that are part of the institutional knowledge of that firm. The threats to Insurance. The threats to Law Firms. The threats to Utilities.

AAXXISS.COM is a US veteran owned business with more then thirty years experience in the security space. We have an international scope that includes professional contemporaries that have specialized skills and or expertise in areas such as electronic counter measures (e-sweeps), fraud, internal investigations, security testing, security assessments in fulfillment and supporting corporations in meeting governance compliance (SOX, FINRA, GLBA, FICEN, AML program, HIPAA, OCC, Red Flag, OMB123 including FISMA, HIPAA, Sarbanes Oxley, SAS70, Personal Information protection, reputational, and intellectual property.

September 18, 2009

© Copyright – AAXXISS.COM – George B Tselentis, CISM