BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Unified Vulnerability Management for Financial Organizations

Posted June 14, 2011    Morey Haber

If you are in the financial sector, how are you protecting your financial systems from tampering? If you are the CEO or CFO you must ensure that you financial reports are accurate, delivered in a timely fashion, and do not contain any information that was tampered with. This requires securing critical information technology systems that contain this data and the systems that they are interconnected with. The entire infrastructure that supports this is commonly referred to as the “scope“. Systems in Scope have interconnections between them and are used to transfer data or process data elements used to create accurate records. For the executive signing off on an organization’s financial reports, ensuring that all the systems in scope are not tampered with is a critical function that they must get right. The tampering of data can occur in a variety of ways but the most critical is when it is done using flaws in the underlying technology such as vulnerabilities. This is where a Unified Vulnerability Management program becomes a strategic part in ensuring the accuracy of a financial organization’s reports. It can identify flaws in the technology, make recommendations for remediation, perform patch mitigation, and provide protection against zero day vulnerabilities and Advanced Persistent Threats.

This type of security is covered by two different regulatory initiatives that may be applicable to your financial organization:

SOX
Description
In July 2002, the United States Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny.  The act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).  Financial data and documentation are at the heart of the compliancy issue. 

Vulnerability and Risk Requirements
SOX Section 404: Assessment of Internal Control
Understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise. Evaluate controls designed to prevent or detect fraud. Perform a fraud risk assessment.

GLBA
Description
The Gramm-Leach-Bliley Act (GLBA) was enacted to ensure protection over customer’s records and information. To satisfy the rules and provisions of GLBA, financial institutions are required to perform security risk assessments, develop and implement security solutions that effectivelydetect, prevent, and allow timely incident response, and to perform auditing and monitoring of their security environment.

Vulnerability and Risk Requirements
Section 508
Subtitle A: Disclosure of Nonpublic Personal Information
Constructing a thorough [risk management] on each department handling the nonpublic information
Subtitle B: Fraudulent Access to Financial Information
Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority

eEye solutions have taken into consideration the requirements of our clients that need to monitor systems for vulnerabilities and these regulatory compliance initiatives. Retina CS has dedicated scanning and report templates for both SOX and GLBA, and Retina Insight provides long term data warehouse reporting on security trends and regulation compliance. For example, the report below shows SOX trending over last few months for Section 404:

Ensuring against financial tampering is difficult when systems have known vulnerabilities that can be leveraged to disrupt operations, steal information, or alter underlying data. The example highlights how IT processes have not been fixing vulnerabilities from July 2010 until March 2011. After March, some mitigation was performed to lower the risk but not enough to fully ensure that a threat could still not tamper with critical systems. This process has been displayed in the form of Section 404 requirements for SOX and not just raw vulnerability data. It allows C level executives to understand how they are truly protecting their businesses and the controls in place to secure data. These types of reports provide the proof to the financial documents they need to sign and the piece of mind that their organization is using the correct processes to ensuring financial reports are accurate and have not been tampered with.

For more information on Retina CS or Retina Insight, please click here. 

Additional articles

CyberResiliency

6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.

Tags:
,
powerbroker-difference-1

Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

Tags:
, ,
Mac-Security-Enterprise

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

Tags:
, ,