Some Security Issues and Concerns in the Financial Services Industry

About This Presentation

Title:

Some Security Issues and Concerns in the Financial Services Industry

Description:

Ensure acceptable encryption (telco enforcement or provide information for Citi to enforce) ... Beginning to look at establishing WAP gateways within Citi ... – PowerPoint PPT presentation

Number of Views:56

Avg rating:3.0/5.0

Slides: 12

Provided by: davids322

Category:

more less

Transcript and Presenter's Notes

Title: Some Security Issues and Concerns in the Financial Services Industry

1
Some Security Issues and Concerns in the
Financial Services Industry

Daniel Schutzer
eCiti Technology
Daniel.M.Schutzer_at_citi.com
1-212-559-1876

2
Security Issues

Protecting our systems from disruption and
service denial attacks
Firewalls and anti-virus software
Keeping up with the patches and updates
Dependencies on others e.g. Telecommunications
Networks vulnerabilities our customer's PC
vulnerabilities
Robustness and survivability alternate sites
and contingency plans
Overcoming social engineering
The insider threat
Issues of liability and responsibility of vendors
for their products security flaws

3
Security Issues

Prevention of stealing and manipulating data and
fraud
Audit and Anomaly detection software
Encryption and digital signatures
Authorization versus authentication
Finding and prosecuting criminals and vandals
Tracing, tracking, active entrapment,
misinformation, wire-tapping

4
Security Issues

The desire for Single Sign-On
Added convenience
Bigger target
The legacy problem
Relationship to Single Sign-On for the Enterprise
and for the Internet trusted third parties
Strong authentication and use restrictions
PKI, tokens, smart cards and biometrics
Juggling the trade-off
Improving security by constraining and limiting
employee and customers actions
Improving security by adding cost and
inconvenience

5
Security Issues

Issues stemming from new technology trends
Mobile applications (example)
Peer-to-Peer
Interactive TV
Web services

6
Mobile Application Components
7
Security Approach

Generally aligned with internet application
security approach
Particular areas of concern
Specific security guidelines for individual
content types and devices
Increased application level emphasis for ethical
hacks
Security review of carriers/telcos for 2-zone
security models
User authentication
Session Management (platform/application issue)
Susceptibility to site spoofing
Logging and fraud detection

8
Content and Devices

Currently mostly mobile specific protocols and
content format
WML and HDML
WAP (including WTLS)
Slowly converging/migrating to internet standard
protocols and content
HTML, XML, Java
HTTP and SSL
Combinatorial complexity (device, browser,
gateway, content)
Devices/content specific issues
Buttons and navigation
Storage (bookmark, cookies, variables, caching)
UI (including security and data/password entry)
Security (encryption, access control, key
storage, trust management)
Guidance for developers and ethical hackers to
test security of application data

9
Telcos and Gateways

2-zone browser model and SMS transactions involve
potential exposure at telco
Developed standard questionnaire and SLA terms
Protection of information exposed at carrier
Ensure acceptable encryption (telco enforcement
or provide information for Citi to enforce)
Provide persistent, reliable identifier (e.g.
MSISDN or equivalent)
Change management
Evaluation requires assessment of standard telco
gateways, which vary substantially
Openwave, Nokia, CMG, Ericsson
Beginning to look at establishing WAP gateways
within Citi
Complicated by navigation and configuration
options in devices
Some carriers/devices still not able to support
128 bit encryption
Business risk decision on whether to accept
weaker encryption on some channels
2-zone operation requires controlling which
carriers are allowed to access the application
Either by IP address filtering or by
authenticating the incoming gateway