Penetration Testing mailing list archives
Re: [security] Bank Audit Best practices
From: rsh () idirect com
Date: Thu, 18 Mar 2004 18:26:27 -0500
A few questions... as the answer will vary 1. If the bank: had its own data centre, and did their own processing of items at that data centre, and had the same sort of direct link to that data centre. what would you be saying to them when you found that link? If you would say the same thing as when you find this kind of link to their [external] transaction processor, then continue with your approach but read below. If you would NOT make the same recommendation, determine what the difference really is. Neither of the two locations will be on-site to where the transactions are actually captured, after all. 2. What are the specific defences set up at the transaction processor? Most places doing this sort of processing that I am aware of are actually owned by one or more banks and were the transaction processor for one bank before that bank split them off and had them start to sell their services to other financial institutions so as to save money. Their security is often equal to or better than the rest of the bank's system. 3. What is in the contract concerning responsibility for the security over that link and the router or other devices in place? Who has the liability if something goes wrong? 4. Are the communications themselves in the clear, or is everything encrypted in one way or another? [so that an individual intent on mischief or having some nefarious purpose cannot obtain any information if sitting on the point to point line outside the premises of the bank or the transaction processor]. 5. Are the protections in place any worse than the protection between various branches of the bank, wherever they might be, and the central point that connects to the transaction processor? My personal view, after over 30 years working for FIs, is that the link to the transaction processor is likely equal in security or more secure than the links between branches of the bank, and the security once at the transaction processor is also likely better and more proof against social engineering than anything in most of the bank. That said, any improvement in security or added protection is not bad to add, BUT it needs to be justified expense wise, since you are trying to sell an insurance policy to the bank with what you are recommending. Would YOU, having looked at the total environment and all of the security in place, spend the money both for tat added defence and the added manpower needed to maintain, run and monitor that added defence? If it were your money that were being spent would the answer be identical? If the answer is No - do not bother recommending it. Maybe - think long before recommending it - prove as per yes below. Yes - prove it is cost justified when you recommend it. R S (Bob) Heuman Computer Security Consulting Toronto, ON ------------------------- On Wed, 17 Mar 2004 09:06:34 -0500, you wrote:
I'm looking for some feedback from other people who conduct security audits and penetration tests on banks. One of the network aspects I come across a lot is a direct line to their transaction processor. This is often in the form of a point-to-point or frame line that is dropped onsite with a router controlled by the processor, not the bank. I always point out that this is a network security risk, as there is no control from the bank side regarding the access provided through that line, and recommend an ACL or departmental firewall at that point. As always, the administrators look at me like I recommended them selling their firstborn. The relationship between the bank and their processor is very symbiotic as the bank couldn't even exist without their services, yet my perspective is any outside system should go through some level of border security in order to monitor and restrict traffic. Anyone run into this? How do you handle? M. Dante Mercurio dante () webcti com Consulting Group Manager Continental Technologies, Inc www.webcti.com
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Bank Audit Best practices Dante Mercurio (Mar 18)
- RE: Bank Audit Best practices Chuck Fullerton (Mar 19)
- RE: Bank Audit Best practices Pete Herzog (Mar 19)
- Re: Bank Audit Best practices Clint Bodungen (Mar 19)
- Re: Bank Audit Best practices Jeff Lumley (Mar 19)
- Re: [security] Bank Audit Best practices rsh (Mar 19)
- Re: Bank Audit Best practices wirepair (Mar 19)
- <Possible follow-ups>
- RE: Bank Audit Best practices Michael Bitow (Mar 19)
- Re: Bank Audit Best practices Mike Shaw (Mar 19)
- RE: Bank Audit Best practices Michael Iseyemi (Mar 19)
- RE: Bank Audit Best practices Keith Pachulski (Mar 22)
- RE: Bank Audit Best practices Mike Shaw (Mar 22)
- RE: Bank Audit Best practices Gault, Brian (Mar 23)
- RE: Bank Audit Best practices Mike Shaw (Mar 23)
- RE: Bank Audit Best practices Frank Knobbe (Mar 24)
- RE: Bank Audit Best practices Roman Draconus <roman (Mar 24)
(Thread continues...)