Re: [security] Bank Audit Best practices

From: rsh@idirect.com
Date: Thu Mar 18 2004 - 18:26:27 EST


A few questions... as the answer will vary

1. If the bank:
        had its own data centre, and
        did their own processing of items at that data centre, and
        had the same sort of direct link to that data centre.
   what would you be saying to them when you found that link?

If you would say the same thing as when you find this kind of link to
their [external] transaction processor, then continue with your approach
but read below. If you would NOT make the same recommendation, determine
what the difference really is. Neither of the two locations will be
on-site to where the transactions are actually captured, after all.

2. What are the specific defences set up at the transaction processor?
Most places doing this sort of processing that I am aware of are
actually owned by one or more banks and were the transaction processor
for one bank before that bank split them off and had them start to sell
their services to other financial institutions so as to save money.
Their security is often equal to or better than the rest of the bank's
system.

3. What is in the contract concerning responsibility for the security
over that link and the router or other devices in place? Who has the
liability if something goes wrong?

4. Are the communications themselves
        in the clear, or
        is everything encrypted in one way or another?
[so that an individual intent on mischief or having some nefarious
purpose cannot obtain any information if sitting on the point to point
line outside the premises of the bank or the transaction processor].

5. Are the protections in place any worse than the protection between
various branches of the bank, wherever they might be, and the central
point that connects to the transaction processor?

My personal view, after over 30 years working for FIs, is that the link
to the transaction processor is likely equal in security or more secure
than the links between branches of the bank, and the security once at
the transaction processor is also likely better and more proof against
social engineering than anything in most of the bank.

That said, any improvement in security or added protection is not bad to
add, BUT it needs to be justified expense wise, since you are trying to
sell an insurance policy to the bank with what you are recommending.

Would YOU, having looked at the total environment and all of the
security in place, spend the money both for tat added defence and the
added manpower needed to maintain, run and monitor that added defence?

If it were your money that were being spent would the answer be
identical?

If the answer is
        No - do not bother recommending it.
        Maybe - think long before recommending it - prove as per yes below.
        Yes - prove it is cost justified when you recommend it.

R S (Bob) Heuman
Computer Security Consulting
Toronto, ON

-------------------------

On Wed, 17 Mar 2004 09:06:34 -0500, you wrote:

>I'm looking for some feedback from other people who conduct security
>audits and penetration tests on banks.
>
>One of the network aspects I come across a lot is a direct line to their
>transaction processor. This is often in the form of a point-to-point or
>frame line that is dropped onsite with a router controlled by the
>processor, not the bank. I always point out that this is a network
>security risk, as there is no control from the bank side regarding the
>access provided through that line, and recommend an ACL or departmental
>firewall at that point.
>
>As always, the administrators look at me like I recommended them selling
>their firstborn. The relationship between the bank and their processor
>is very symbiotic as the bank couldn't even exist without their
>services, yet my perspective is any outside system should go through
>some level of border security in order to monitor and restrict traffic.
>
>Anyone run into this? How do you handle?
>
>M. Dante Mercurio
>dante@webcti.com
>Consulting Group Manager
>Continental Technologies, Inc
>www.webcti.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT