SlideShare una empresa de Scribd logo

Financial institution security top it security risk

Redspin, Inc.
Redspin, Inc.

Redspin founder and security evangelist, John Abraham gives a keynote speaker at a Financial Institution's Security Conference.

Tecnología
1 de 25
Descargar para leer sin conexión
Financial Institution Security Top IT Security Risk April 13, 2011 - John Abraham
Issue 1: Systematic Risk Management Focus, focus, focus
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, 3 HIPAA - Administrative Safeguards (§164.308), ...
4
Issue 2: Mobile Devices in the Enterprise
Issue 3: Wireless
Issue 4: Social Media Information Disclosure
Issue 5: Virtualization Sprawl
Issue 6: rd 3 -Party Mobile Applications Patch Management + Mobile Applications = Danger!
Issue 7: Vendor Management The days of “Oops, it was the vendor” being a valid excuse for a data breach are long over.
Issue 8: SQL Injection Never trust the user!
Issue 9: Inadequate Testing Programs Existence does not equal Effective
14
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ... 15
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ... 16
+ + Free USB Drives
Issue 10: Social Engineering... phishing Our testing shows:  30% failure rate Recent news:  Epsilon breach  RSA Security breach
Issue 10.5: Lack of Mobile Device Security Policy Policy components:  Access control  Authentication  Encryption  Incident response  Training & awareness  Vulnerability management
{ Thanks! } John Abraham jabraham@redspin.com 805-705-8040 (mobile)
Summary: Top Security Risks for 2011  Risk Management  Mobile Devices in the Enterprise  Wireless  Social Media Information Disclosure  Virtualization Sprawl  3rd-Party Mobile Applications  Vendor Management  SQL Injection  Inadequate Testing Programs  Social Engineering  Mobile Device Security Policy
And from last year: Don't forget about....  Faulty DMZs  Virus protection  Encryption
Financial institution security top it security risk
Financial institution security top it security risk

Recomendados

Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Sec440: Server Malware Protection Policy
Sec440: Server Malware Protection PolicySec440: Server Malware Protection Policy
Sec440: Server Malware Protection PolicyThomas Christopher Ty
 
BEA Presentation
BEA PresentationBEA Presentation
BEA PresentationGlenn E. Davis
 
State of Security
State of SecurityState of Security
State of Security- Mark - Fullbright
 

Recomendados

Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Sec440: Server Malware Protection Policy
Sec440: Server Malware Protection PolicySec440: Server Malware Protection Policy
Sec440: Server Malware Protection PolicyThomas Christopher Ty
 
BEA Presentation
BEA PresentationBEA Presentation
BEA PresentationGlenn E. Davis
 
State of Security
State of SecurityState of Security
State of Security- Mark - Fullbright
 
Financial Institutions
Financial InstitutionsFinancial Institutions
Financial InstitutionsIsmatullah Butt
 
Primary market
Primary marketPrimary market
Primary marketChhitiz Shrestha
 
Mergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita MehrotraMergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita Mehrotraarpitamehrotra
 
Interest Rate Risk And Management
Interest Rate Risk And ManagementInterest Rate Risk And Management
Interest Rate Risk And Managementcatelong
 
Risk management in financial institution
Risk management in financial institutionRisk management in financial institution
Risk management in financial institutionUjjwal 'Shanu'
 
Chapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial InstitutionsChapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial InstitutionsRusman Mukhlis
 
Financial risk management ppt @ mba finance
Financial risk management ppt @ mba financeFinancial risk management ppt @ mba finance
Financial risk management ppt @ mba financeBabasab Patil
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEMNapier University
 
SIEM
SIEMSIEM
SIEMNapier University
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Cohesive Networks
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More ManageableIBM Security
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful National Cheng Kung University
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
NSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threatsNSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threatsRonald Bartels
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckSecurity Innovation
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainSplunk
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
smb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdfsmb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdfSoundariyaSathish
 

Más contenido relacionado

Destacado

Mergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita MehrotraMergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita Mehrotraarpitamehrotra
 
Interest Rate Risk And Management
Interest Rate Risk And ManagementInterest Rate Risk And Management
Interest Rate Risk And Managementcatelong
 
Risk management in financial institution
Risk management in financial institutionRisk management in financial institution
Risk management in financial institutionUjjwal 'Shanu'
 
Chapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial InstitutionsChapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial InstitutionsRusman Mukhlis
 
Financial risk management ppt @ mba finance
Financial risk management ppt @ mba financeFinancial risk management ppt @ mba finance
Financial risk management ppt @ mba financeBabasab Patil
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 

Destacado (8)

Financial Institutions
Financial InstitutionsFinancial Institutions
Financial Institutions
 
Primary market
Primary marketPrimary market
Primary market
 
Mergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita MehrotraMergers & Acquisitions- Arpita Mehrotra
Mergers & Acquisitions- Arpita Mehrotra
 
Interest Rate Risk And Management
Interest Rate Risk And ManagementInterest Rate Risk And Management
Interest Rate Risk And Management
 
Risk management in financial institution
Risk management in financial institutionRisk management in financial institution
Risk management in financial institution
 
Chapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial InstitutionsChapter 24_Risk Management in Financial Institutions
Chapter 24_Risk Management in Financial Institutions
 
Financial risk management ppt @ mba finance
Financial risk management ppt @ mba financeFinancial risk management ppt @ mba finance
Financial risk management ppt @ mba finance
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 

Similar a Financial institution security top it security risk

Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Cohesive Networks
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More ManageableIBM Security
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
NSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threatsNSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threatsRonald Bartels
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckSecurity Innovation
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainSplunk
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
smb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdfsmb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdfSoundariyaSathish
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11blusmurfydot1
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsMehrdad Jingoism
 

Similar a Financial institution security top it security risk (20)

Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
 
SIEM
SIEMSIEM
SIEM
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
NSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threatsNSA advisory about state sponsored cybersecurity threats
NSA advisory about state sponsored cybersecurity threats
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
smb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdfsmb-vulnerabilities-in-healthcare.pdf
smb-vulnerabilities-in-healthcare.pdf
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Mobile security
Mobile securityMobile security
Mobile security
 
IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
 
Fortinet k
Fortinet kFortinet k
Fortinet k
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 

Más de Redspin, Inc.

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineRedspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felonyRedspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationRedspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityRedspin, Inc.
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 

Más de Redspin, Inc. (20)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Financial institution security top it security risk

  • 1. Financial Institution Security Top IT Security Risk April 13, 2011 - John Abraham
  • 2. Issue 1: Systematic Risk Management Focus, focus, focus
  • 3. Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, 3 HIPAA - Administrative Safeguards (§164.308), ...
  • 4. 4
  • 5. Issue 2: Mobile Devices in the Enterprise
  • 6.
  • 8. Issue 4: Social Media Information Disclosure
  • 10. Issue 6: rd 3 -Party Mobile Applications Patch Management + Mobile Applications = Danger!
  • 11. Issue 7: Vendor Management The days of “Oops, it was the vendor” being a valid excuse for a data breach are long over.
  • 12. Issue 8: SQL Injection Never trust the user!
  • 13. Issue 9: Inadequate Testing Programs Existence does not equal Effective
  • 14. 14
  • 15. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ... 15
  • 16. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ... 16
  • 17. + + Free USB Drives
  • 18.
  • 19. Issue 10: Social Engineering... phishing Our testing shows:  30% failure rate Recent news:  Epsilon breach  RSA Security breach
  • 20. Issue 10.5: Lack of Mobile Device Security Policy Policy components:  Access control  Authentication  Encryption  Incident response  Training & awareness  Vulnerability management
  • 21. { Thanks! } John Abraham jabraham@redspin.com 805-705-8040 (mobile)
  • 22. Summary: Top Security Risks for 2011  Risk Management  Mobile Devices in the Enterprise  Wireless  Social Media Information Disclosure  Virtualization Sprawl  3rd-Party Mobile Applications  Vendor Management  SQL Injection  Inadequate Testing Programs  Social Engineering  Mobile Device Security Policy
  • 23. And from last year: Don't forget about....  Faulty DMZs  Virus protection  Encryption