Is your organization battling Phishing, Smishing, and/or Vishing scams? I recently spoke at the California Bankers Association and presented on the current threat landscape several recommendations for mitigation. Here is a copy of the slide-deck: http://www.jeromiejackson.com/Phishing.pdf
I presented on ACH, Wire Fraud, and Corporate account takeover at the Credit Union Information Security Practitioners Association (CUISPA) earlier this year. With the significant rise in fraud and risk in this area I wanted to make the presentation available to the Internet @ large. Here is a link to the presentation in PDF format. ACH, Wire Fraud, and Corporate Account Takeover
Written by Jeromie Jackson Published on Tuesday, 23 November 2010 17:50
June 15, 2011 is the date set to begin implementation of the standard. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) maintains the SAS 70 standard. The SAS 70 is the de-facto standard used to document a service provider's internal security controls. Too bad it misses the boat in truly documenting a service provider's security posture.
The primary problem with the SAS 70, and the upcoming SSAE 16, is the lack of standard control requirements. The SAS 70/SSAE 16 allows the service provider to define what controls are utilized. The audit only confirms the implementation of documented controls- review of sufficient controls is not conducted. Without a standard the quality and comprehensiveness of the controls becomes questionable.
Mature organization's have adopted control frameworks such as COBIT and ISO 27000-series. The Control OBjectives for IT (COBIT) defines control focus areas, key performance indicators (KPIs), key goal indicators (KGIs), and governance to assist organizations in reaching high levels of maturity. COBIT defines Maturity much like the SEI Capability Maturity Model (SEI-CMM).
Level 0: Non-existent
Level 1: Initial/ad hoc
Level 2: Repeatable but Intuitive
Level 3: Defined Process
Level 4: Managed and Measurable
There are two primary changes between the SAS 70 & the SSAE 16. With SSAE 16 service provider executives will now be required to have attestations about the presentation and accuracy of the system and supporting controls. Secondly, as opposed to the SAS 70 which was to represent a specific date, the SSAE will represent a period of time.
Contrary to a popular misconception there is no SAS 70 Type certification process. The SAS 70 & SSAE 16 are meant to be used as a standard communications vehicle between auditors. While reviewing SAS 70 & SSAE reports from vendors is prudent, and may provide some security from a legal perspective, a deep-dive into the reports are required to truly understand the quality of information security within the service provider. I recommend always asking for the ability to audit the service provider in contractual agreements. As with most negotiations ask for twice as much as what you expect. If they decline I recommend the ability to review the most recent penetration testing and vulnerability assessment reports at minimum. Ensure your intellectual property is protected with both vendors with whom you share data or physical location, as well as those who may remotely connect into your networks. Always remember-
Written by Jeromie Jackson Published on Wednesday, 05 January 2011 18:58
Trace security breaches at financial institutions and many are linked to external vendors. To mitigate the threat the FFIEC addressed the issue on page 88 of the FFIEC IT Examination Handbook. If your security vendor provides penetration tests, vulnerability assessments, social engineering, or other infosec services and also designs, installs, maintains, or supports operational components in the organization you are at risk to negative remarks on your audit.
“Independent tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, or the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.”
There are many vendors attempting to provide cloud-based compliance, risk management, vulnerability management, and other services alongside infosec services such as security assessments, risk assessments, penetration tests, vulnerability assessments, social engineering, and web application assessments. While vendor consolidation can potentially reduce cost it equally directly conflicts with FFIEC regulations. A more appropriate approach is to leverage vendor agnostic solutions providers, while using another organization for informations security services.
If you currently are at risk based on your currently vendor relationship contact me and I will help you maintain a quality information security posture while ensuring operational costs are tightly controlled.
Written by Jeromie Jackson Published on Monday, 15 November 2010 20:13 Last updated on Monday, 15 November 2010 20:17
Credit Union security practitioners leverage Rapid7 to provoke reaction at the board level. Compromised credit cards, remote command-and-control over an ERP system, and administrative access to the payroll database provides for much more compelling discussions than discussing the number of vulnerabilities found in the environment. Hypothetical issues do not obtain budget.
Credit Unions are required to adhere to stringent security regulations. Delivery of superior security & risk management is often squelched however due to small budgets, lean staffing, and technical jargon. Most credit unions have existing vulnerability assessment budgets in place. By leveraging the Rapid7 software suite credit union security practitioners are enabled to bring transparency to the current state of security affairs.
I am sure you have experienced the difference it makes when speaking to someone with their paradigm in mind, and a good story. There is a very different reaction when I tell a client that a given machine is infected and susceptible to attack vs. when I hand the executive their recent tax paperwork and a copy of their customer database. Putting business context into a security conversation makes the discussion relative to non-technical peers.
Rapid7 acquired the open-source Metasploit security framework in October 2009. Since that time integration between the vulnerability scanning application Nexpose and Metasploit has been bridged allowing someone to pivot from a vulnerability right to a pre-loaded exploit page leveraging Metasploit. In April of 2010 Rapid7 then released Metasploit Express providing a clean graphical interface over an application that had came from a command-line background. This definitely brought penetration testing mainstream. In July 2010 Rapid7 announced sponsoring W3af, a strong web application assessment tool, while acquiring the founder of the project Andrés Riancho. They seem to be acquiring talent and exceptional projects which have large existing install bases- not a bad business strategy in my humble opinion.
Being able to not simply identify vulnerabilities, but to attack, compromise, and collect intellectual property from those assets generates much more response from executives. Security is important. Executives quickly turn a deaf ear to technical jargon. The ability to demonstrate compromise, as opposed to commenting on vulnerabilities, is a game-changer for credit union security practitioners.
