Evaluating your credit unions security posture

1
Evaluating your credit unions security posture
2
Security Assessments
THE THREAT Each day, thousands of hacking
attempts are undertaken. Many financial
institutions experience serious damage due to
glaring information security failures. Threats
originate from both outside and inside the
network. These threats can create substantial
financial losses for institutions. While large
corporations tighten up network security, hackers
are searching for other options. Your credit
union may very well be a hackers next
target! How can CUDefense help your credit union
manage these threats?

3
ASSESSMENT SERVICES

• CUDefense offers three types of assessment
  services
• External assessment
• Level I assessment
• Level II comprehensive assessment.
• These services have been developed with the
  credit unions obligations to the NCUA IST
  program and Gramm-Leach-Bliley Act in mind.
• What services are provided with each assessment?

4
EXTERNAL ASSESSMENT

• During an external assessment, our analysts
  assume the role of a would-be hacker and attempt
  to gain access to the credit unions internal
  network. The external assessment consists of
  five phases
• Reconnaissance
• Scanning
• Research
• Penetration and Social Engineering Testing
• Analysis and Evaluation

5
RECONNAISSANCE
CUDefense purposely limits the amount of
information given to us by the credit union and
attempts to gather this information
independently, as a hacker would. All publicly
available information is gathered during this
phaseaddresses, telephone numbers, IP addresses,
management names, email addresses, and any other
information we can find! If we cannot locate this
information through public sources, then we will
request it from the credit union. Time for a
scan!

6
SCANNING
Based on data gathered during reconnaissance,
we use sophisticated scanning techniques against
public hosts to find open ports, running
services, operating systems in use, and firewall
types. How about a little
research?

7
RESEARCH
Using the information gained during the first
two phases, we determine possible routes into the
credit unions network. This includes
investigating known vulnerabilities, researching
hacking tools, writing specific programming code,
and breaking passwords. Time for the fun
stuffPenetration and Social Engineering Testing!

8
PENETRATION and SOCIAL ENGINEERING
We attempt to penetrate the credit unions
network by contacting employees via telephone or
forged email in an attempt to gather confidential
information. Modem access testing is conducted
during this phase as well. After any successful
penetration of the network, we examine where this
may lead and how far into the network we can go.
System administrators are informed of the
penetration and a solution to the security
vulnerability is developed. CUDefense will not
attempt to exploit a vulnerability if we feel it
represents a danger to the network or servers,
nor do we attempt to gain access to the data
processing host. We will, however, notify the
credit union if we determine the possibility
exists.

9
TESTING CONTINUED
Our security team also examines the credit
unions marketing and Internet Banking Web sites
for potential security problems in addition to
confidentiality or privacy concerns. Internet
Banking authentication mechanisms and application
security controls can be tested upon request.
This additional testing may require permission
from the Internet Banking system provider. The
results are in

10
ANALYSIS AND EVALUATION
Discovered vulnerabilities are analyzed and
evaluated, and a detailed confidential report is
produced. Reports include a non-technical
executive summary in addition to detailed
technical discussions of problems found.
Security issues discovered during the audit are
discussed and specific mitigation instructions
and recommendations are included. Appendices of
investigative data are included as appropriate.
CUDefense also conducts in-depth out-briefings
with credit union management via conference call
if requested. How much does an External
Assessment cost?

11
LEVEL I ASSESSMENT

• The Level I assessment includes an off-site
  review of the credit unions information systems
  using a suite of sophisticated software tools
  combined with network inspection and research.
  The CUDefense team examines your security process
  and determines where the dangers on the inside of
  the network lie.
• The Level I assessment includes, but is not
  limited to, the following features
• Provide a list of software installed on the
  network
• Evaluate security implementation of domain
  controllers/user administration databases
• Evaluate utilization of Domains and Groups to
  meet internal control objectives

12
FEATURES CONTINUED

• Review of File Attributes of shares
• Evaluate ADMIN and ADMIN equivalent users and
  login
• Utilize software to perform vulnerability
  scanning on servers and desktop computers
• Available either one-time only or subscription
  basis

13
LEVEL II ASSESSMENT

• Our Level II assessment is more thorough,
  combining our Level I and External evaluations in
  addition to the following
• Obtain and review policies addressing information
  security, Internet access, email, and remote
  access
• Obtain and review network topology
• Evaluate third-party access to the network
• Review physical security and operating procedures
• Review IDS/IPS
• Evaluate content and email filtering

14
FEATURES CONTINUED

• Examine patch management
• Interview staff including Information Systems,
  Accounting, and Human Resources
• Evaluate encryption mechanisms in use
• Examine change of management procedures
• along with other reviews and evaluations!
• What else?

15
WEB PORTAL

Customers also receive access to our Aggregated
Security Management System (ASMS). This secure
web portal enables clients to communicate with
our security analysts and view a draft of their
assessment report. IMPROVING SECURITY
POSTURE Threat management is a proactive process.
CUDefense offers ongoing protection through our
Security Assessment Subscriptions. A
subscription provides ongoing evaluation of the
credit unions information security posture from
the Internet, thus greatly increasing its
security profile.
16
QUESTIONS OR COMMENTS??

Evaluating your credit unions security posture