3. Perfect Profilers
• Our purpose
▫ Analyze IT infrastructure
▫ Provide mitigation strategies
▫ Determine plan of action
3
4. Agenda
• Current vs future infrastructure
• Our Risk Profiling Tool
• Evaluation of current state applications
• Analysis of future state infrastructure
• 12 month program
• Demonstration of Risk Profiling Tool
4
8. Current State Residual Heat Map
8
TEL
FIN
ATM
BODPS
PeoplePay
WeHelp
CMS
BeSecure
IReport
Likelihood
Impact
Current State
9. Key Existing Controls
• Firewalls
• Antivirus
• All systems notify relevant employees in the
event of an IT problem
• All applications are backed up
9
10. Broad Recommendations
• Update servers
• Enhance security department
• Encrypt necessary applications
• Comply with industry standards and regulations
10
11. Regulatory Agencies and Regulations
• FFIEC
▫ FDIC
▫ Board of Governors of the Federal Reserve System
• Federal Trade Commission
• State Regulations
11
12. Industry Standards
• NIST 800 Series
▫ Attack and penetration testing
• PCI DSS
▫ 3rd party vendors
12
13. Medium Risk: FIN
Risk Drivers:
• Outdated servers
• Lack of encryption
• Noncompliance
• Systems are not mirrored
13
Recommendations:
• System z13
• 128-bit encryption
• Comply with industry
standards and
regulations
• Mirroring of systems
14. Medium Risk: BODPS
Risk Drivers:
• Outdated servers
• No redundancy checks
• Systems are not mirrored
• Noncompliance
14
Recommendations:
• IBM P Series vs
distributed server
• Free up server space
• Mirroring of systems
• Comply with industry
standards and
regulations
15. Medium Risk: ATM & TEL
Risk Drivers:
• Noncompliance
• Lack of security
• Outdated servers
15
Recommendations:
• Comply with industry
standards and
regulations
• Attack and penetration
testing
• Monitor access
• Microsoft SQL 2014
17. Future State Infrastructure
High Risk
• ABC Online
17
Medium Risk
• FIN
• ATM
• BODPS
Low Risk
• CMS
• BeSecure
• PeoplePay
• iReport
• WeHelp
• TEL
18. Future State Residual Heat Map
18
FIN
ATM BODPS
PeoplePay
WeHelp
CMS
BeSecure
IReport
ABC Online
TEL
Likelihood
Impact
Future State
19. Changes Resulting from ABC Online
19
Increased Impact
• FIN
• BODPS
• BeSecure
• CMS
Increased
Vulnerabilities
• FIN
• BeSecure
Decreased Impact
• TEL
Anticipated Future Infrastructure
20. High Risk: ABC Online
Risk Drivers:
• Internet facing
• High number of users
• Outdated software
• Noncompliance
20
Recommendations:
• 128 bit encryption
• Update Oracle to
version 12c
• Comply with FFIEC
• Multi-factor
authentication
• Device identification
based off cookies
• Use of debit card
blocks
21. Our Proposal
• Focus on mitigating risks within current state
environment; reconsider online banking in the
future
21
22. 12 Month Program
22
4 8 120
• Comply with
standards and
regulations
• Enhance security
department
• Schedule of
updates for
servers
• Encryption
• Mirroring of
systems
• Reassessment of
IT applications
23. Within 4 Months
• Prioritize compliance across applications
▫ FFIEC, PCI DSS
• Enhance security department
▫ Proper training, staying up-to-date
23
0 4 8 12
24. Cost/Benefit Analysis
Roadmap to Comply with Regulations:
$40 million- $86 million
▫ PCI DSS – fines can range from $5,000-$100,000
per month for PCI compliance violations
▫ Penalties of $15 million for violations of FFIEC
24
25. Cost/Benefit Analysis
Enhance IT Security Team:
$135,000 - $400,000 per year
▫ CISO:
$125,000 - $250,000 salary
▫ Attack and penetration testing:
$10,000-$150,000
25
26. Within 8 Months
• Create and implement a schedule of updates for
servers
• Encryption
▫ FIN, CMS
26
0 4 8 12
27. Cost/Benefit Analysis
Update Servers:
$14 million - $85 million
▫ SONY - $170 million loss due to outdated servers
▫ Goldman Sachs - $83 million to update all
mainframes
27
28. Cost/Benefit Analysis
Encryption:
$100 - $300 per system
▫ Anthem data breach - $100 million, 80 million
records exposed
▫ Coca-Cola data breach – 74,000 records exposed
28
29. Within 12 Months
• Mirroring of critical applications
▫ BODPS, FIN
• Reassessment of IT applications
29
0 4 8 12
37. Projected Residual Risk Score
• Based on the implementation of suggested
controls
37
Original:
New:
38. Questions, Comments, Concerns?
Stay connected! Email us at:
2015trajectory2@gmail.com
Follow us on Facebook &
Twitter to stay up to date
with current events!
www.facebook.com/PerfectProfilers
@PerfProfilers
38