Blog: Security and Compliance

While onsite for an IT audit this week, I had to connect to a bank's network from three separate locations. 

At the first location, I got a couple of DHCP addresses (one for my host and one for VMWare workstation) and had no trouble getting connected to the Internet (via browser, RDP, etc.).

When I connected at the second site, I was able to get Internet connectivity from my host but not from within VMWare.  I fiddled with it for a while and finally made do.

When I connected at the third site, they told me they needed to give me static IPs since they had IP tables in their Checkpoint firewall to define what systems had Internet access.

That got me to ask why I had no problems at the first site and half a problem at the second site.  The root cause of all this was their lack of reviewing the IP table in their Checkpoint firewall.  The whole bank subnet at the first site was allowed access to the Internet (this was leftover from a merger about six months ago).  The IP address DHCP gave my host at the second site just happened to be in their list on the firewall (nobody could remember why that random address was in the table).  It's good to review your configurations or have someone else look over them, because mistakes won't necessarily be obvious.

Symantec published a paper in conjunction with Indiana University describing how attackers could be using unsecured home wireless access points in pharming attacks. The vulnerability is related to easily guessed credentials on the wireless routers and default installations are definitely easily guessed.

The ploy described in this paper (http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf) involves the use of javascript on a malicious website that changes the DNS settings on the wireless router - provided the router credentials can be guessed by the application.

So, there is more to it than being sure your wireless transmissions are encrypted.

As of IOS 12.3(1), Cisco introduced support for enforcing a minimum number of password characters and sending a syslog message after a specified number of failed login attempts.  Enabling these commands will help banks comply with regulations and their own policies as well as improve the security of their Cisco IOS devices.  I have not found similar commands for CatOS or PIX OS yet. [more]

security passwords min-length <length>

• global command that sets the minimum password length for user, enable, and line passwords.
• Default is six, but it should be configured according to bank policies.

security authentication failure rate <threshold-rate> log

• global command that sets the number of failed login attempts (without at least a 15-second delay) before a syslog message is generated
• Threshold value can be 2-1024.  A value of 1 will not generate any syslog messages.  Default is 10, but should comply with bank policies.

Personal or confidential information about an individual or organization can be collected and exposed without a person’s prior knowledge or informed consent. This information can be used to compromise a bank's systems or to conduct identity theft. Practices to prevent and detect spyware should be regularly reviewed to ensure that an institution is aware of all risks to its systems and to sensitive customer information.

Tips to Prevent Spyware [more]
http://www.ftc.gov/bcp/conline/pubs/alerts/spywarealrt.htm

• Update your operating system and Web browser software. Your operating system (like Windows or Linux) may offer free software "patches" to close holes in the system that spyware could exploit.
• Download free software only from sites you know and trust. It can be appealing to download free software like games, peer-to-peer file-sharing programs, customized toolbars, or other programs that may change or customize the functioning of your computer. Be aware, however, that some of these free software applications bundle other software, including spyware.
• Don't install any software without knowing exactly what it is. Take the time to read the end-user license agreement (EULA) before downloading any software. If the EULA is hard to find — or difficult to understand — think twice about installing the software.
• Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads, for example, at least the "Medium" setting for Internet Explorer. Keep your browser updated.
• Don't click on any links within pop-up windows. If you do, you may install spyware on your computer. Instead, close pop-up windows by clicking on the "X" icon in the title bar.
• Don't click on links in spam that claim to offer anti-spyware software. Some software offered in spam actually installs spyware.

Install a personal firewall to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out.

The best prevention is awareness training to help employees adopt the behavior needed to prevent spyware on bank computers and on personal computers that are used to connect to the bank's network. Internet banking customers would also benefit from training. Education should advise of the risks in using public computers – such as those in hotels, libraries, or Internet cafés because of the uncertainty of the spyware which may have been installed on the public equipment.

Detection includes installing client solutions to block spyware. This software should be run on a regular basis to combat spyware infections.

If you could benefit from spyware prevention or detection services or need assistance with technology support, please contact us.

For more information regarding this vulnerability, please visit:
http://www.fdic.gov/news/news/financial/2005/fil6605.html
http://www.cio-today.com/news/Internet-Users-Change-Habits-for-Spyware/story.xhtml?story_id=020000O5OSBS
http://japantoday.com/e/?content=news&cat=2&id=343907
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1108774,00.html?track=NL-105&ad=523375
http://www.eweek.com/article2/0,1759,1839427,00.asp

The Department of the Treasury recently published Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

You are probably familiar with the publication of this guidance as described by The Federal Reserve Board at www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/default.htm

The Text of Common Final Guidance contains Supplement A to Appendix B which is being incorporated into agency regulations. It would be wise for appropriate bank personnel to be familiar with this supplement’s text (found on page 32 of attachment found at www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/attachment.pdf). The entire document is useful in understanding the overall guidance and thought processes behind the rulings, but the actual guidance text begins on page 32. [more]

The CoNetrix Security Group has reviewed the guidelines and has drafted recommended updates to Information Technology Security Policies. Within the next few weeks, we will contact the banks with which we have worked on such policies. If you have not worked with CoNetrix regarding preparation of security policies and are interested in doing so, please contact us.