BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Unified Vulnerability Management for Financial Organizations

Posted June 14, 2011    Morey Haber

If you are in the financial sector, how are you protecting your financial systems from tampering? If you are the CEO or CFO you must ensure that you financial reports are accurate, delivered in a timely fashion, and do not contain any information that was tampered with. This requires securing critical information technology systems that contain this data and the systems that they are interconnected with. The entire infrastructure that supports this is commonly referred to as the “scope“. Systems in Scope have interconnections between them and are used to transfer data or process data elements used to create accurate records. For the executive signing off on an organization’s financial reports, ensuring that all the systems in scope are not tampered with is a critical function that they must get right. The tampering of data can occur in a variety of ways but the most critical is when it is done using flaws in the underlying technology such as vulnerabilities. This is where a Unified Vulnerability Management program becomes a strategic part in ensuring the accuracy of a financial organization’s reports. It can identify flaws in the technology, make recommendations for remediation, perform patch mitigation, and provide protection against zero day vulnerabilities and Advanced Persistent Threats.

This type of security is covered by two different regulatory initiatives that may be applicable to your financial organization:

SOX
Description
In July 2002, the United States Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny.  The act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).  Financial data and documentation are at the heart of the compliancy issue. 

Vulnerability and Risk Requirements
SOX Section 404: Assessment of Internal Control
Understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise. Evaluate controls designed to prevent or detect fraud. Perform a fraud risk assessment.

GLBA
Description
The Gramm-Leach-Bliley Act (GLBA) was enacted to ensure protection over customer’s records and information. To satisfy the rules and provisions of GLBA, financial institutions are required to perform security risk assessments, develop and implement security solutions that effectivelydetect, prevent, and allow timely incident response, and to perform auditing and monitoring of their security environment.

Vulnerability and Risk Requirements
Section 508
Subtitle A: Disclosure of Nonpublic Personal Information
Constructing a thorough [risk management] on each department handling the nonpublic information
Subtitle B: Fraudulent Access to Financial Information
Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority

eEye solutions have taken into consideration the requirements of our clients that need to monitor systems for vulnerabilities and these regulatory compliance initiatives. Retina CS has dedicated scanning and report templates for both SOX and GLBA, and Retina Insight provides long term data warehouse reporting on security trends and regulation compliance. For example, the report below shows SOX trending over last few months for Section 404:

Ensuring against financial tampering is difficult when systems have known vulnerabilities that can be leveraged to disrupt operations, steal information, or alter underlying data. The example highlights how IT processes have not been fixing vulnerabilities from July 2010 until March 2011. After March, some mitigation was performed to lower the risk but not enough to fully ensure that a threat could still not tamper with critical systems. This process has been displayed in the form of Section 404 requirements for SOX and not just raw vulnerability data. It allows C level executives to understand how they are truly protecting their businesses and the controls in place to secure data. These types of reports provide the proof to the financial documents they need to sign and the piece of mind that their organization is using the correct processes to ensuring financial reports are accurate and have not been tampered with.

For more information on Retina CS or Retina Insight, please click here. 

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,