An AAXXISS.

COM White Paper

http://www.aaxxiss.com

Banking and Financial Sectors - Security Issues

By George B Tselentis, CISM

Sr. Security Analyst

September 18, 2009 © Copyright – AAXXISS.COM – George B Tselentis, CISM

 Contents Introduction
The Threat is Real …The report issued by The NIC
Introduction (The National Intelligence Council (NIC) is the
Intelligence Community's (IC's) center for midterm
The Issues and long-term strategic thinking). “Cyber attacks will
AAXXISS.COM Testing Solution provide both state and nonstate adversaries new
options for action against the United States beyond
Implementation mere words but short of physical attacks ---strategic
Summary options that include the selection of either nonlethal
or lethal damage and the prospect of anonymity”.
Reference The GLOBAL THREATS 2015 Project” NIC, Page 34.

The Threat is growing …

“Our wired society puts all of us US business, in
particular, because they must maintain an open
exchange with customers at higher risk from
enemies. In general, IT s spread and the growth of
worldwide digital networks mean that we are
challenged to think more broadly about national
security”. Reference Statement for the Record to the Joint
Economic Committee Lawrence K. Gershwin
National Intelligence Officer for Science and Technology 21 June
2001

Issues
The security issues that we face today in the Internet
space are increasing and the threats are becoming
ever changing in a 360 degree security threat.

AAXXISS.COM Solutions
We offer a wide range of real world testing that
although do not guarantee the outcome, we can
guarantee that the testing will alert senior
management to possible gaps and or findings, as part
of our deliverable.

Scenario / Outcome
Real World Security Testing

Implementation
If you don’t test it you cannot measure it, and if you
cannot measure it you will never know if it is
effective. “Real World Security Tests for real world
threats”.

Summary
The benefit to a financial institution includes, real
world solutions issued in a final report that contain
inexpensive recommendations to justify a change in
procedures, staff, software, training, and other
enhancements.

September 18, 2009 © Copyright – AAXXISS.COM – George B Tselentis, CISM

Challenge - AAXXISS.COM and
Scenario / Outcome
It is critical for financial institutions to
test their IT security programs in a real
world setting.
The goal of this assessment was to
acquire “physical access”, then work
with the IT department to correct or
mitigate the vulnerability. The attack
began with a reconnaissance of the
Banks primary facility which opened a
whole world of possibilities including
gaining physical access to the firewalls.
Access to the Banks primary facilities
wiring closet was monitored for one
day, it was during the reconnaissance
that it was ascertained that access doors
to a maintenance area were unlocked in
the morning and never locked or secured
during the day. As expected the well
dressed gentleman loitering in the lobby
for the day gained access to the closet,
took photos, and placed an envelope
with his business card and did whatever
else was required to gain control of the
financial systems, without really
threatening production or business
systems.
September 18, 2009 © Copyright – AAXXISS.COM – George B Tselentis, CISM
The following assets were breached:
1. The phone closet (common closet in a
public area, unlocked) and
DEMARC (Demarcation of the
Telephone Lines)
2. The Fed wire (Fedwire operates within
the context of the Federal Reserve's
overall information security
architecture)
3. The entire backbone of the network
including the firewall.
Day 1 – Reconnaissance…eight (8) hours.
Day 2 – Gained access to primary facilities
wiring and firewall…ten (10) minutes.
The total time of the attack including the
reconnaissance was 10 hours 5 minutes.
Outcome
A final report was issued containing
recommendations that were used to justify a
change in procedures, staff, software, training,
and other enhancements. The entire technology
and business operations staff learned how to
identify and deal with a possible person,
performing a reconnaissance, in an effective and
non-threatening manner.
Challenge - AAXXISS.COM and
Scenario / Outcome
A boutique banking institution had
requested an Office of Comptroller of
Cash pre-assessment completed. This
was only part of the test phase, which
included other security tests. The first
phase of the test was run, in which the
following assets were breached:
1. The Cash Room
2. All the executive offices
including the board room.
Day 1 – Reconnaissance, one (1) hour.
Day 2 – Gained physical access to
primary facility…five (5) minutes.
The total time of the attack including the
reconnaissance was 1 hour 5 minutes.
Outcome
A final report was issued containing
recommendations that were used to
justify a change in procedures, staff,
software, training, and other
enrichments. The entire technology and
business operations staff learned how to
identify and deal with a possible person,
performing a reconnaissance, in an
effective and non-threatening manner.
September 18, 2009 © Copyright – AAXXISS.COM – George B Tselentis, CISM
Summary
The benefit of running a real world security
assessment for any financial institution can be
measured in the success of those financial
institutions that have taken the following steps:
1. Brought in from the outside a
professional that performs the real world
testing using an approach that a real
world intruder would use.
2. Taken the necessary steps to educate the
entire organizational workforce to
recognize and deal with a person that
may be part of a reconnaissance in an
effective and non-threatening manner.
3. Used each of the Scenario – Tests to
justify a change in policies, procedures,
staff, software, training, and other
enhancements.
4. Understood that Security has various
elements and that all of those elements
must be practiced to be effective.
See other white papers that we offer on
security topics including:
 The threats to Banking, Financial institutions.
 The threats to senior management.
 The threats to companies that maintain
intellectual material, copyrights, patents and
or special processes that are part of the
institutional knowledge of that firm.
 The threats to Insurance.
 The threats to Law Firms.
 The threats to Utilities.
AAXXISS.COM is a US veteran owned business with
more then thirty years experience in the security space.
We have an international scope that includes
professional contemporaries that have specialized skills
and or expertise in areas such as electronic counter
measures (e-sweeps), fraud, internal investigations,
security testing, security assessments in fulfillment and
supporting corporations in meeting governance -
compliance (SOX, FINRA, GLBA, FICEN, AML program,
HIPAA, OCC, Red Flag, OMB123 including FISMA, HIPAA,
Sarbanes Oxley, SAS70, Personal Information
protection, reputational, and intellectual property.