Bank World 2008 Kamens 04 29 08


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Randy
  • Bank World 2008 Kamens 04 29 08

    1. 1. Bank’s Worst PR Nightmare: Personal Information Compromised April 29, 2008
    2. 2. Michael Kamens, J.D., CISM <ul><li>Senior Manager -IT Assurance Services </li></ul><ul><li>Certified Information Security Manager </li></ul><ul><li>Over 25 years of information technology and management experience </li></ul><ul><li>Experience includes IT control evaluation, risk assessments, data and PII security, wireless and VoIP vulnerability and penetration testing and remediation, Security Analysis, BCP/DRP and IT Auditing. </li></ul>
    3. 3. Joshua Neffinger, CISA <ul><li>Senior - IT Assurance Services </li></ul><ul><li>Certified Information Systems Auditor </li></ul><ul><li>5 years of network administration and programming experience </li></ul><ul><li>Performed over 120 IT audits within financial, commercial, and health care institutions. </li></ul>
    4. 4. Your Bank’s Worst Nightmare: Personal Information Compromised <ul><li>Presentation Agenda </li></ul><ul><li>6 Secrets to a successful IT Audit </li></ul><ul><li>Choose your Friends carefully – Vendor selection </li></ul><ul><li>The 5 greatest causes of Vulnerabilities </li></ul><ul><li>Hacking Do’s and Don’ts </li></ul><ul><li>Vulnerabilities: Are they Created Equal? </li></ul>
    5. 5. 6 Secrets to a successful IT Audit
    6. 6. Remember…The Six Secrets to a Successful IT Audit <ul><li>IT is an integral component of your business </li></ul><ul><li>IT Audits are Performed by Qualified Professionals </li></ul><ul><li>IT Risk Assessment </li></ul><ul><li>4. Vulnerability Assessment. </li></ul><ul><li>5. Senior Management buy in. </li></ul><ul><li>6. Prepare for it </li></ul>
    7. 7. Preparing for the Audit <ul><ul><li>Overall Objective </li></ul></ul><ul><ul><li>Categorize each concern </li></ul></ul><ul><ul><li>Expected Achievement </li></ul></ul><ul><ul><li>Designate a Point person </li></ul></ul>
    8. 8. Post IT Audit <ul><li>Draft reports </li></ul><ul><li>Responding to Comments </li></ul><ul><li>The Final report </li></ul><ul><li>Evaluating IT controls going forward </li></ul>
    9. 9. Choose your Friends carefully – Vendor selection
    10. 10. Vendor Due Diligence <ul><li>Proof of Insurance </li></ul><ul><li>References </li></ul><ul><li>Credentials </li></ul><ul><li>Expertise </li></ul><ul><li>Continuity </li></ul><ul><li>Project length </li></ul><ul><li>Privileged Data </li></ul><ul><li>Presentation </li></ul>
    11. 11. The Banks need to focus on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. • Ability to evaluate and oversee outsourcing relationships. • Importance and criticality of the services to the financial institution. • Defined requirements for the outsourced activity. • Necessary controls and reporting processes. • Contractual obligations and requirements for the service provider. • Objectives and service provider performance. • Regulatory requirements and guidance for the business lines affected and technologies used. Source: FDIC, Risk Management of Outsourced Technology Services
    12. 12. The 5 greatest causes of Vulnerabilities
    13. 13. The 5 greatest causes of Vulnerabilities <ul><ul><li>Device/Server Hardening </li></ul></ul><ul><ul><li>Default Credentials </li></ul></ul><ul><ul><li>Operating System Patches </li></ul></ul><ul><ul><li>Application Patches </li></ul></ul><ul><ul><li>Housekeeping </li></ul></ul>
    14. 14. Device/Server Hardening <ul><li>All networked devices should be hardened </li></ul><ul><li>Disable both dangerous and extraneous services </li></ul><ul><li>Disable guest account </li></ul><ul><li>Antivirus and Spyware installation </li></ul><ul><li>Run Microsoft Baseline Security Analyzer (MBSA) </li></ul>
    15. 15. Default Credentials <ul><li>Ensure all authentication protocols are changed </li></ul><ul><li>Don’t use the Bank’s name as part of password </li></ul>
    16. 16. Operating System (OS) Patches <ul><li>Have a patch management program </li></ul><ul><li>Ensure all servers are part of program </li></ul>
    17. 17. Application Patches <ul><li>Exploits are trending towards applications. </li></ul><ul><li>More difficult to keep up to date due to varying vendors. </li></ul><ul><li>Use a vulnerability assessment tool to monitor patch levels. </li></ul>
    18. 18. Housekeeping <ul><li>Dormant user accounts </li></ul><ul><li>Services no longer being used </li></ul><ul><li>Shares with excessive permissions </li></ul><ul><li>Applications no longer being utilized </li></ul><ul><li>Software updates may change security configuration. </li></ul>
    19. 19. Hacking Do’s and Don’ts
    20. 20. Hacking Do’s and Don’ts <ul><li>Establish Monitoring </li></ul><ul><li>Encrypt Network Traffic </li></ul><ul><li>Filter Inbound and Outbound Ports </li></ul><ul><li>Don’t Broadcast Network Information </li></ul>
    21. 21. Establish Monitoring <ul><li>Network traffic, firewall activity, server activity. </li></ul><ul><li>Utilize a tool to aggregate. </li></ul><ul><li>Intrusion Prevention System (IPS) </li></ul>
    22. 22. Encrypt Network Traffic <ul><li>Don’t use protocols that transmit credentials and data in clear text. </li></ul><ul><ul><li>FTP, Telnet, HTTP </li></ul></ul><ul><li>Strong protocols encrypt data. </li></ul><ul><ul><li>FTPS, SSH, HTTPS </li></ul></ul><ul><li>IPSEC </li></ul><ul><li>Enable a sniffer on your network </li></ul>
    23. 23. Filter Inbound & Outbound Ports <ul><li>Only allow traffic on ports that are required for business purposes. </li></ul><ul><li>Eliminate the exit strategy of an attacker. </li></ul>
    24. 24. Don’t Broadcast Network Information <ul><li>Null Sessions </li></ul><ul><ul><li>Reveals user accounts, groups, policy settings. </li></ul></ul><ul><li>SNMP </li></ul><ul><ul><li>Reveals network configuration </li></ul></ul><ul><li>Server Header Information </li></ul><ul><ul><li>Reveals web server information </li></ul></ul><ul><li>Service Pack Levels </li></ul>
    25. 25. Vulnerabilities: Are they Created Equal?
    26. 26. Vulnerabilities : Are they Created Equal? <ul><li>Scans are completed </li></ul><ul><li>100’s of pages of data </li></ul><ul><li>The raw data has been analyzed </li></ul><ul><li>Rating System </li></ul><ul><li>CVE vs. CVVS </li></ul><ul><li>Vulnerability vs. False Positive </li></ul>
    27. 27. Standardized names - CVE or CVSS <ul><li>The report should identify each device with vulnerabilities. </li></ul><ul><ul><li>Some may have several vulnerabilities that need attention </li></ul></ul><ul><li>Each vulnerability should be defined with a description, reason, and Common Vulnerabilities & Exposures (CVE) or Common Vulnerability Scoring System (CVSS) note </li></ul><ul><ul><li>A CVE is a list of standardized names for vulnerabilities and other information security exposures </li></ul></ul><ul><ul><li>CVSS is a quantitative model that ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. </li></ul></ul>
    28. 28. Common Vulnerability Scoring System (CVSS) <ul><li>The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. </li></ul><ul><li>NVD Vulnerability Severity Ratings 1. “Low” severity - CVSS base score of 0.0-3.9. 2. “Medium” severity - CVSS base score of 4.0-6.9. 3. “High” severity - CVSS base score of 7.0-10.0. </li></ul><ul><li>Does a CVSS 9.0 score mean the vulnerability is “High” severity? </li></ul><ul><li>Source: </li></ul>
    29. 29. Sample Vulnerability #1: IRDP (ICMP Router Discovery Protocol) enabled (generic-irdp-enabled) <ul><li>Description: </li></ul><ul><li>ICMP Router Discovery Protocol (IRDP) is enabled on this host. IRDP is an extension to the ICMP protocol that allows hosts to discover routers on their networks by listening for &quot;router advertisement&quot; broadcasts on their networks. Receipt of router advertisement messages by a host may result in changes to the host's routing table. Since IRDP does not provide for the authenticity of router advertisement messages, hosts running IRDP can be spoofed into changing their routes. </li></ul><ul><li>An attacker could send spoofed IRDP router advertisement messages to the host, causing it to change its default route to whatever the attacker chooses. This could result either in a complete denial-of-service (i.e. changing the default gateway to something invalid) or susceptibility to passive sniffing and/or man-in-the-middle attacks (i.e. changing the gateway to a router under the attacker's control). </li></ul><ul><li>Source Reference </li></ul><ul><li>CVE CVE-1999-0875 </li></ul><ul><li>BID 578 </li></ul><ul><li>XF irdp-gateway-spoof(3123) </li></ul><ul><li>URL </li></ul>
    30. 30. CVE-1999-0875 National Cyber-Alert System <ul><li>Vulnerability Summary CVE-1999-0875 </li></ul><ul><li>Original release date: 8/11/1999 </li></ul><ul><li>Last revised: 5/2/2005 </li></ul><ul><li>Source:  US-CERT/NIST   </li></ul><ul><li>Overview: </li></ul><ul><li>DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.   </li></ul><ul><li>Impact: </li></ul><ul><li>CVSS Severity (version 2.0 incomplete approximation): CVSS v2 Base score: 6.4 (Medium) Impact Subscore: 4.9 Exploitability Subscore: 10.0 Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information, Allows unauthorized modification </li></ul>
    31. 31. Sample Vulnerability #2: MS06-060: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) <ul><li>Your system may require one or more security patches or hot fixes from Microsoft. This update resolves several newly discovered, privately reported and public vulnerabilities. </li></ul><ul><li>References: </li></ul><ul><li>Source Reference </li></ul><ul><li>BID 20387 </li></ul><ul><li>CERT-VN 806548 </li></ul><ul><li>CERT-VN 921300 </li></ul><ul><li>CVE CVE-2006-3647 </li></ul>
    32. 32. CVE-2006-3647 National Cyber-Alert System <ul><li>Vulnerability Summary CVE-2006-3647 </li></ul><ul><li>Original release date: 10/10/2006 </li></ul><ul><li>Last revised: 4/23/2008 </li></ul><ul><li>Source:  US-CERT/NIST </li></ul><ul><li>  </li></ul><ul><li>Overview: </li></ul><ul><li>Integer overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word document, which overflows a 16-bit integer length value, aka &quot;Memmove Code Execution,&quot; a different vulnerability than CVE-2006-3651 and CVE-2006-4693.   </li></ul><ul><li>Impact: </li></ul><ul><li>CVSS Severity (version 2.0): CVSS v2 Base score: 9.3 (High) </li></ul><ul><li>Impact Subscore: 10.0 Exploitability Subscore: 8.6 Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism Access Complexity: Medium Authentication: Not required to exploit Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service </li></ul>
    33. 33. Thank you / Questions? <ul><li>Michael Kamens </li></ul><ul><li>Voice: 617.512.3118 </li></ul><ul><li>[email_address] </li></ul>
    34. 34. Remember <ul><ul><li>Before you criticize someone, walk a mile in their shoes, that way you are a mile away and you have their shoes. </li></ul></ul><ul><ul><ul><ul><ul><li>Author “who knows” </li></ul></ul></ul></ul></ul>