Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NH Bankers 10 08 07 Kamens


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NH Bankers 10 08 07 Kamens

  1. 1. What Bankers Should Know About IT Risk, Vulnerabilities & Security Michael Kamens, JD,CISM Accume Partners - Director, IT Audit New Hampshire Bankers Association
  2. 2. The Six Secrets of IT Audit <ul><li>Make the Technicians Speak Plain English </li></ul><ul><li>IT is a Business; Run it as a Business </li></ul><ul><li>The IT Risk Assessment Should Drive the Audit Schedule </li></ul><ul><li>Customer Information Privacy is High Risk </li></ul><ul><li>IT Audits Performed by Qualified Professionals </li></ul><ul><li>Networks Open the Door to Attacks by Anyone, at Anytime, from Anywhere </li></ul>
  3. 3. Networks Are The Biggest Risk <ul><li>Challenges </li></ul><ul><li>Security reports indicate that your network is vulnerable to being exploited by “hackers” </li></ul><ul><li>On the other hand your IT people tell you how secure your network is </li></ul><ul><li>Most IT Auditors are scared of the Network </li></ul><ul><ul><li>You have limited time to finish your audit </li></ul></ul><ul><ul><li>Even if you go head to head with the IT team, would it be productive </li></ul></ul><ul><ul><li>When the reports detail vulnerabilities, are they explained in a way that will make sense? </li></ul></ul><ul><ul><li>Do you really understand what a “false positive” is? </li></ul></ul><ul><ul><li>How thorough is your understanding of the technology you are auditing? </li></ul></ul>
  4. 4. Network Audit Agenda <ul><li>Considerations for Evaluating Vulnerability </li></ul><ul><li>Risk Assessment vs Vulnerability Assessment </li></ul><ul><li>The Need for Vulnerability and Penetration Testing </li></ul><ul><li>Internal Auditors’ Role </li></ul><ul><li>Vulnerability and Penetration Assessment </li></ul>
  5. 5. Considerations for Evaluating Vulnerabilities <ul><li>Questions to Ask </li></ul><ul><li>Can a “hacker” breach your network? </li></ul><ul><ul><li>Hint: Absolutely! </li></ul></ul><ul><li>Has the IT Department done everything to make your network more secure? </li></ul><ul><li>Are there Policies and Procedures in place to ensure best practice standards are being practiced? </li></ul>
  6. 6. Considerations for Evaluating Vulnerabilities <ul><li>Trends Affecting Information Security </li></ul><ul><li>Businesses have a tremendous opportunity to utilize information technology to expand their productivity. </li></ul><ul><li>Many organizations will need to provide easier access by users to selected areas of their information systems, thereby increasing potential exposure. </li></ul><ul><li>In taking advantage of all this increased connectivity, speed and data, securing information within their communications systems has to be a mandatory priority. </li></ul><ul><li>Unfortunately, no one security device or procedure will ensure a risk free environment. </li></ul>CONTINUED
  7. 7. Risk Assessment vs. Vulnerability Assessment THE AUDIT FLOW Start Decide/Plot Plan Read/Examine Test Write Quit
  8. 8. IT Risk Assessment <ul><li>An IT Risk Assessment is designed to give a detailed analysis of how well a business is secured </li></ul><ul><li>Answers the question: How secure is your organization's information? -- A high-priority issue </li></ul>
  9. 9. Vulnerability Assessment <ul><li>A Vulnerability Assessment identifies weaknesses and vulnerabilities on the network that expose the business to risk </li></ul><ul><li>Allows the business to diminish threats and take remedial actions before they occur </li></ul><ul><li>Provides an analysis of businesses security </li></ul><ul><li>Ensures that only authorized employees have access to critical corporate data </li></ul>
  10. 10. The Need for Vulnerability & Penetration Testing <ul><li>DRIVERS </li></ul><ul><li>Businesses continue to rely on the Internet to increase revenue, thereby exposing data to potential hackers </li></ul><ul><li>Businesses are inadequately securing customer data </li></ul><ul><li>ID theft is at an all-time high </li></ul><ul><li>Consumers are inadequately educated about securing their own ID data </li></ul>CONTINUED
  11. 11. The Need for Vulnerability & Penetration Testing <ul><li>CHALLENGES </li></ul><ul><li>The demanding pace of business </li></ul><ul><ul><li>The need for speed can take precedence to logical security measures </li></ul></ul><ul><li>Corporate culture </li></ul><ul><ul><li>“ It will not happen to me” attitude </li></ul></ul><ul><ul><li>Focusing resources only where it generates high visibility, high ROI </li></ul></ul><ul><ul><li>Resistance to commit valuable (human, financial) resources to protect client data </li></ul></ul>CONTINUED
  12. 12. Where is IA Positioned <ul><li>Where are you? </li></ul><ul><li>Are you part of your organization’s team in planning the IT Audit and what areas will be in scope? </li></ul><ul><li>Is the attitude – “Well it’s not a key control so let someone else handle it”? </li></ul>
  13. 13. Internal Auditors’ Role <ul><li>Assurance that data has not been compromised </li></ul><ul><li>Assurance that administrative rights are properly administered </li></ul><ul><ul><li>Request screenshots of ID login, password, user rights configurations, file shares, </li></ul></ul><ul><ul><li>Process for how admin rights are granted </li></ul></ul><ul><li>Assurance that a Trojan Horse would not be able to take over the network </li></ul><ul><ul><li>Guest Account has no password </li></ul></ul><ul><ul><li>Server has never been hardened </li></ul></ul>What IA gains by being involved with Vulnerability and Penetration Testing
  14. 14. Internal Auditors’ Role <ul><li>What you should know </li></ul><ul><li>Hardened Servers </li></ul><ul><li>When new servers are purchased, every service by default has been activated regardless of the use of the server </li></ul><ul><li>The OS could be Windows/Linux/Unix etc </li></ul><ul><li>Services can include Email/Web/SQL etc </li></ul><ul><li>Wireless Access Points </li></ul>CONTINUED
  15. 15. Internal Auditors’ Role <ul><li>Impact </li></ul><ul><li>TJX lost 200M customers’ PII </li></ul><ul><ul><li>Cause: poor security from their wireless access points </li></ul></ul><ul><li>TSA lost 100K employees’ PII </li></ul><ul><ul><li>Cause: lost laptop </li></ul></ul><ul><li>Fidelity lost 196K customers’ PII </li></ul><ul><ul><li>Cause: lost laptop   </li></ul></ul><ul><li>AIG lost 930K customers’ PII </li></ul><ul><ul><li>Cause: theft of a data-center server </li></ul></ul><ul><li>Bank of America lost 1.2M federal employees’ PII </li></ul><ul><ul><li>Cause: lost laptop </li></ul></ul><ul><li>Texas Guaranteed Student Loan lost 1.3M customers’ PII </li></ul><ul><ul><li>Cause lost computer tapes   </li></ul></ul><ul><li>Q: Can your organization survive the front page or the 6 o’clock news? </li></ul><ul><ul><ul><li>Note: PII = Personally Identifiable Information. Includes SSN, birth dates, addresses, drivers license or anything that identifies an individual. </li></ul></ul></ul>CONTINUED
  16. 16. Vendor Management <ul><li>Vendor Criteria </li></ul><ul><ul><li>What insurance do they carry </li></ul></ul><ul><ul><li>Who owns all the data – raw and finished </li></ul></ul><ul><ul><li>Will the same team begin and finish </li></ul></ul><ul><ul><li>Estimated project length </li></ul></ul><ul><ul><li>References within your Industry is critical </li></ul></ul><ul><ul><li>How do they present their evidence (reports) </li></ul></ul>Selecting a vendor for a Vulnerability and Penetration Security Assessment
  17. 17. Criteria for Selecting a Vendor <ul><li>Selecting a Vendor </li></ul><ul><li>Vendor Criteria </li></ul><ul><ul><li>Good business dictates requesting 3 quotes </li></ul></ul><ul><ul><li>Review the financials of prospective vendors to ascertain their solvency </li></ul></ul><ul><ul><li>Review the firm’s history – </li></ul></ul><ul><ul><ul><li>How long has the firm business? </li></ul></ul></ul><ul><ul><ul><li>How long have they been performing vulnerability and penetration Testing? </li></ul></ul></ul><ul><ul><li>Review staffing – </li></ul></ul><ul><ul><ul><li>Does the prospective vendor hire permanent staff or contractors? </li></ul></ul></ul><ul><ul><ul><li>What are their credentials? </li></ul></ul></ul>
  18. 18. Vulnerability and Penetration Assessment <ul><li>Testing </li></ul><ul><li>IA should be part of the team that determines the scope of testing </li></ul><ul><li>You will want to be able to read the Vulnerability and Penetration report to be satisfied that the organization is secure </li></ul>CONTINUED
  19. 19. Vulnerability and Penetration Assessment <ul><li>Phase – Assessment Areas </li></ul><ul><li>When looking at areas of an Assessment there are various ways of categorizing the assessment areas, for example: </li></ul><ul><ul><li>EXTERNAL -- Firewall, DMZ, Email, Web </li></ul></ul><ul><ul><li>INTERNAL -- Hosts/Servers </li></ul></ul><ul><ul><li>INTERNAL -- Network Devices </li></ul></ul><ul><ul><li>INTERNAL -- PCs </li></ul></ul><ul><ul><li>Phone Sweep </li></ul></ul><ul><ul><li>Social Engineering </li></ul></ul>CONTINUED
  20. 20. Vulnerability and Penetration Assessment <ul><li>Phases – Assessment/Scans </li></ul><ul><li>The PC scans </li></ul><ul><ul><li>provide a verification that they are patched and updated </li></ul></ul><ul><ul><li>Identify accounts without passwords and </li></ul></ul><ul><ul><li>Identify vulnerabilities from missing patches </li></ul></ul><ul><ul><li>Usually performed annually </li></ul></ul><ul><li>Phone Sweep/War Dialing </li></ul><ul><ul><li>Scans your PBX to determine that users are not connecting modems to their PCs (optional) </li></ul></ul><ul><li>Social Engineering </li></ul><ul><ul><li>Attempt to gain client data from staff at remote sites (optional) </li></ul></ul>CONTINUED
  21. 21. Vulnerability and Penetration Assessment <ul><li>Phase – Data Rating </li></ul><ul><li>ECHO Rating System </li></ul><ul><ul><li>E – Exposure High </li></ul></ul><ul><ul><ul><li>Immediate corrective attention required </li></ul></ul></ul><ul><ul><li>C – Control Concern Medium </li></ul></ul><ul><ul><ul><li>Corrective action required </li></ul></ul></ul><ul><ul><li>H – Housekeeping Low </li></ul></ul><ul><ul><ul><li>Configuration enhancements recommended </li></ul></ul></ul><ul><ul><li>O – Okay Low </li></ul></ul><ul><ul><ul><li>Controls appear to be adequate </li></ul></ul></ul>CONTINUED
  22. 22. Vulnerability and Penetration Assessment <ul><li>Phases – Data Analysis </li></ul><ul><li>Data analysis is the most critical stage of the assessment </li></ul><ul><ul><li>High vulnerability vs “false positives” </li></ul></ul><ul><li>The vendor has completed their scans </li></ul><ul><ul><li>Data need to be correlated, analyzed and ranked on importance </li></ul></ul>CONTINUED
  23. 23. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports </li></ul><ul><li>The report should identify each device with vulnerabilities. </li></ul><ul><ul><li>Some may have several vulnerabilities that need attention </li></ul></ul><ul><li>Each vulnerability should be defined with a description, reason, and CVE (Common Vulnerabilities & Exposures) note </li></ul><ul><ul><li>A CVE is a list of standardized names for vulnerabilities and other information security exposures </li></ul></ul><ul><ul><li>CVE aims to standardize the names for all publicly known vulnerabilities and security exposures </li></ul></ul><ul><li>Risk rating </li></ul><ul><li>Remediation -- There should be an explanation/ recommendation for how to remediate the vulnerability </li></ul><ul><li>See examples </li></ul>CONTINUED
  24. 24. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports – Typical Detail </li></ul><ul><li>Exchange XEXCH50 Remote Buffer Overflow vulnerability detected on port smtp (25/tcp) </li></ul><ul><li>Vulnerability Description </li></ul><ul><li>This system appears to be running a version of the Microsoft Exchange SMTP service that is vulnerable to a flaw in the XEXCH50 extended verb.This flaw can be used to completely crash Exchange 5.5 as well as execute arbitrary code on Exchange 2000. </li></ul><ul><li>ECHO Rating /RISKECHO Rating: E – Exposure; Immediate Corrective </li></ul><ul><li>Attention RequiredCategory – Type of Vulnerability SMTP </li></ul><ul><li>Problems Additional Information NAVulnerable System(s) </li></ul><ul><li>ServerRecommendationSystem administrators should apply the security patch to Exchange servers immediately.Refer </li></ul><ul><li>to: </li></ul><ul><li>Vulnerability Reference (CVE/CAN, BID)CVE : CVE-2003-0714 BID : 8838 Other references : IAVA:2003-A-0031, IAVA:2003-a-0016 Nessus ID : 11889 </li></ul>CONTINUED
  25. 25. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports – Typical Detail </li></ul><ul><li>Vulnerability Description </li></ul><ul><li>The Terminal Services are enabled on the remote host. </li></ul><ul><li>Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access n the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. </li></ul><ul><li>ECHO Rating /RISKECHO Rating: O – Okay; Controls appear to be adequate Category – Type of Vulnerability Useless Services </li></ul>CONTINUED
  26. 26. Vulnerability and Penetration Assessment <ul><li>Four Most Common Causes of Vulnerabilities: </li></ul><ul><li>Lack of Housekeeping </li></ul><ul><li>Not Hardening Servers </li></ul><ul><li>Not updating/patching servers and PCs </li></ul><ul><li>No follow up on previous Vulnerability and Penetration Assessments </li></ul>CONTINUED
  27. 27. Vulnerability and Penetration Assessment <ul><li>Additional Causes of Vulnerabilities </li></ul><ul><li>Our tendency is to utilize scarce resources on the most publicized vulnerabilities rather than investing the effort on the vulnerabilities that pose the greatest risk to the enterprise. </li></ul><ul><li>If we had unlimited resources and budgets, our first step would begin before a computer network becomes operational so that no flawed computers are introduced into the network. </li></ul><ul><ul><li>The network could then be probed for security vulnerabilities. </li></ul></ul><ul><ul><li>Finally, the external network defense, the firewall, could be verified before any connection to the public network is allowed. </li></ul></ul><ul><li>In reality, we are under staffed, under budgeted and pressured for time to meet deadlines. This single step is the cause of the most significant number of known vulnerabilities. </li></ul>CONTINUED
  28. 28. Sample Report <ul><li>Sample Report Conclusion </li></ul><ul><li>“ We have reviewed ACME Bank’s IT Policies and Procedures for safeguarding their network systems having an Internet presence.” </li></ul><ul><li>“ Our vulnerability testing identified six vulnerabilities and security configuration issues. We recommend that ACME review their network patch management policies and procedures. Effective patch management policies, detailed procedures, and processes will improve the Bank’s overall security posture and provide adequate protection against known vulnerabilities and intruder attacks.” </li></ul><ul><li>“ It is important to remember that security is a process, not a destination. New vulnerabilities are discovered on a daily basis, and without keeping abreast of the latest security information any network, regardless of how secure it is at present, has the potential to be compromised in the future.” </li></ul>
  29. 29. Internal Audit Responsibilities <ul><li>Review report to ascertain just how secure your organization is </li></ul><ul><li>Ensure that the vulnerabilities discovered and that agreed upon action plans and time frames for remediation are included as part of your audits (critical) </li></ul><ul><li>Ensure remediation's are addressed within the set timeframe </li></ul>
  30. 30. Remember…The Six Secrets of IT Audit <ul><li>Make the Technicians Speak Plain English </li></ul><ul><li>IT is a Business; Run it as a Business </li></ul><ul><li>The IT Risk Assessment Should Drive the Audit Schedule </li></ul><ul><li>Customer Information Privacy is High Risk </li></ul><ul><li>IT Audits Performed by Qualified Professionals </li></ul><ul><li>Networks Open the Door to Attacks by Anyone, at Anytime, from Anywhere </li></ul>
  31. 31. Question and Answers <ul><li>Remember: </li></ul><ul><ul><li>Before you criticize someone, walk a mile in their shoes, that way you are a mile away and you have their shoes. </li></ul></ul><ul><ul><ul><ul><ul><li>Author “who knows” </li></ul></ul></ul></ul></ul>