BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Unified Vulnerability Management for Financial Organizations

Posted June 14, 2011    Morey Haber

If you are in the financial sector, how are you protecting your financial systems from tampering? If you are the CEO or CFO you must ensure that you financial reports are accurate, delivered in a timely fashion, and do not contain any information that was tampered with. This requires securing critical information technology systems that contain this data and the systems that they are interconnected with. The entire infrastructure that supports this is commonly referred to as the “scope“. Systems in Scope have interconnections between them and are used to transfer data or process data elements used to create accurate records. For the executive signing off on an organization’s financial reports, ensuring that all the systems in scope are not tampered with is a critical function that they must get right. The tampering of data can occur in a variety of ways but the most critical is when it is done using flaws in the underlying technology such as vulnerabilities. This is where a Unified Vulnerability Management program becomes a strategic part in ensuring the accuracy of a financial organization’s reports. It can identify flaws in the technology, make recommendations for remediation, perform patch mitigation, and provide protection against zero day vulnerabilities and Advanced Persistent Threats.

This type of security is covered by two different regulatory initiatives that may be applicable to your financial organization:

SOX
Description
In July 2002, the United States Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny.  The act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).  Financial data and documentation are at the heart of the compliancy issue. 

Vulnerability and Risk Requirements
SOX Section 404: Assessment of Internal Control
Understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise. Evaluate controls designed to prevent or detect fraud. Perform a fraud risk assessment.

GLBA
Description
The Gramm-Leach-Bliley Act (GLBA) was enacted to ensure protection over customer’s records and information. To satisfy the rules and provisions of GLBA, financial institutions are required to perform security risk assessments, develop and implement security solutions that effectivelydetect, prevent, and allow timely incident response, and to perform auditing and monitoring of their security environment.

Vulnerability and Risk Requirements
Section 508
Subtitle A: Disclosure of Nonpublic Personal Information
Constructing a thorough [risk management] on each department handling the nonpublic information
Subtitle B: Fraudulent Access to Financial Information
Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority

eEye solutions have taken into consideration the requirements of our clients that need to monitor systems for vulnerabilities and these regulatory compliance initiatives. Retina CS has dedicated scanning and report templates for both SOX and GLBA, and Retina Insight provides long term data warehouse reporting on security trends and regulation compliance. For example, the report below shows SOX trending over last few months for Section 404:

Ensuring against financial tampering is difficult when systems have known vulnerabilities that can be leveraged to disrupt operations, steal information, or alter underlying data. The example highlights how IT processes have not been fixing vulnerabilities from July 2010 until March 2011. After March, some mitigation was performed to lower the risk but not enough to fully ensure that a threat could still not tamper with critical systems. This process has been displayed in the form of Section 404 requirements for SOX and not just raw vulnerability data. It allows C level executives to understand how they are truly protecting their businesses and the controls in place to secure data. These types of reports provide the proof to the financial documents they need to sign and the piece of mind that their organization is using the correct processes to ensuring financial reports are accurate and have not been tampered with.

For more information on Retina CS or Retina Insight, please click here. 

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,