financial institution security top it security risk
DESCRIPTION
Redspin founder and security evangelist, John Abraham gives a keynote speaker at a Financial Institution's Security Conference.TRANSCRIPT
![Page 1: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/1.jpg)
Financial Institution SecurityTop IT Security Risk
April 13, 2011 - John Abraham
![Page 2: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/2.jpg)
Issue 1:Systematic Risk Management
Focus, focus,focus
![Page 3: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/3.jpg)
3Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...
![Page 4: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/4.jpg)
4
![Page 5: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/5.jpg)
Issue 2:Mobile Devices in the Enterprise
![Page 6: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/6.jpg)
![Page 7: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/7.jpg)
Issue 3:Wireless
![Page 8: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/8.jpg)
Issue 4:Social Media Information Disclosure
![Page 9: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/9.jpg)
Issue 5:Virtualization Sprawl
![Page 10: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/10.jpg)
Issue 6:3rd-Party Mobile Applications
Patch Management+
Mobile Applications
= Danger!
![Page 11: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/11.jpg)
Issue 7:Vendor Management
The days of “Oops, it was the vendor”
being a valid excuse for a data breach are long over.
![Page 12: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/12.jpg)
Issue 8:SQL Injection
Never trust the user!
![Page 13: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/13.jpg)
Issue 9:Inadequate Testing Programs
Existencedoes not equal
Effective
![Page 14: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/14.jpg)
14
![Page 15: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/15.jpg)
15
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
![Page 16: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/16.jpg)
16
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
![Page 17: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/17.jpg)
FreeUSB Drives+ +
![Page 18: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/18.jpg)
![Page 19: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/19.jpg)
Issue 10:Social Engineering... phishing
Our testing shows: 30% failure rate
Recent news: Epsilon breach RSA Security breach
![Page 20: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/20.jpg)
Issue 10.5:Lack of Mobile Device Security PolicyPolicy components: Access control Authentication Encryption Incident response Training & awareness Vulnerability management
![Page 22: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/22.jpg)
Summary:Top Security Risks for 2011 Risk Management Mobile Devices in the Enterprise Wireless Social Media Information Disclosure Virtualization Sprawl 3rd-Party Mobile Applications Vendor Management SQL Injection Inadequate Testing Programs Social Engineering Mobile Device Security Policy
![Page 23: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/23.jpg)
And from last year:Don't forget about.... Faulty DMZs Virus protection Encryption
![Page 24: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/24.jpg)
![Page 25: Financial institution security top it security risk](https://reader034.vdocuments.us/reader034/viewer/2022051817/54828376b079592e0c8b481e/html5/thumbnails/25.jpg)