Secure Network Design: Full Service Bank

1
Secure Network Design Full Service Bank
Woo Hyeok Lim and Antonio Quiroz
2
Organizational Overview

• The banks principal business is attracting funds
  from the investing public and investing the
  funds in mortgage loans secured by residential
  real estate
• Headquartered in San Antonio, Texas, the bank
  operates in four states Texas, New Mexico,
  Arizona and Nevada
• The bank has 25 branches and loan centers in four
  states

3
Organizational Overview (Cont.)

• Due to low interest rates and record home sales
  in Texas and Arizona, the bank has been
  experiencing double digit growth over the past
  five years.
• It anticipates adding more loan centers and
  branches over the next five years
• The IT infrastructure - Microsoft and DB2 Main
  Frame

4
Organizational Overview (Cont.)

• In the future, the bank intends to invest heavily
  to set up a web presence, allow mobile workers to
  access the network and upgrade its servers.
• Customer are requesting information on checking
  and loan activity over the internet
• Check 21

5
Regulatory Agencies

• The bank is governed by the Office of Thrift
  Supervision (OTS) and is subject to OTS
  regulation and examination
• Deposits are insured by the Federal Deposit
  Insurance Corporation (FDIC) and the bank is
  subject to FDIC regulation

6
Sarbanes-Oxley

• All publicly held corporations that file
  quarterly and yearly financial statements with
  the Securities and Exchange Commission
• Sarbanes-Oxley requires the Chief Executive
  Officer and Chief Financial Officer to certify
  that financial reports have been reviewed for
  accuracy and have disclosed any significant
  deficiency in the internal control structure

7
Gramm-Leach-Bliley Act

• The number one threat faced by financial
  institutions is unauthorized access to customer
  information
• The goal of Gramm Leach Bliley Act requires
  financial institutions to protect nonpublic
  personal information from unauthorized
  disclosure, misuse, alteration or destruction.
• Gramm Leach Bliley Act required the Agencies to
  establish standards to ensure the security and
  confidentiality of customer information

8
Gramm-Leach-Bliley Act

• The Financial Privacy Rule governs the collection
  and disclosure of customers personal financial
  information by financial institutions
• The Safeguards Rule requires all financial
  institutions to design, implement and maintain
  safeguards to protect customer information

9
Gramm-Leach-Bliley Act

• Involve the board of directors and senior
  management
• Assess risk
• Manage and control risk
• Oversee service provider arrangements
• Adjust the program
• Report to the board

10
Gramm-Leach-Bliley Act

• Involve the board of directors and senior
  management
• The Board of Directors, or bank management has
  the authority and accountability to the bank
  operations, are required to approve the written
  information security program.

11
Gramm-Leach-Bliley Act

• Assess Risk
• Identify reasonably foreseeable internal and
  external threats
• Assess the likelihood and potential damage of
  these threats

12
Gramm-Leach-Bliley Act

• Manage and control risk
• Access controls on customer information systems
• Encryption of electronic customer information,
  including while in transit or in storage on
  networks or systems
• Monitoring systems and procedures to detect
  actual and attempted attacks or intrusions

13
Gramm-Leach-Bliley Act

• Oversee service provider arrangements
• It is the bank's responsibility to protect its
  customer's data regardless of who maintains it or
  where it is located.
• The intent here is that banks cannot shift all
  liability to its service provider

14
Gramm-Leach-Bliley Act

• Adjust the Program
• Monitor, evaluate, and adjust the information
  security program in light of any relevant changes
• Report to the Board
• On an annual basis, bank management will report
  to its board the status of the information
  security program and the banks compliance with
  the guidelines

15
Current Design
16
Read Attacks

• External Intrusion via Internet
• Unauthorized intrusion through analog lines and
  PBX
• Passive attacks through frame relay connection

17
External Intrusion via Internet

• External intrusion via the internet is the
  biggest threat.
• Community Bank maintains critical information
  such as social security numbers, date of birth,
  credit card information and checking account
  information
• Policy Internet DMZ Equipment Policy

18
Analog Lines and PBX

• Represents a potential backdoor for intruders
• Analog lines misuse can occur when an outside
  attacker connects to a computer that has a modem
• Policy Request for Analog Lines and External
  Connections

19
Passive Attacks Through Frame Relay

• The banks branches and loan centers communicate
  to headquarters using frame relay.
• Confidential information is transmitted between
  the branches and headquarters, there exist the
  potential for an attacker to intercept the
  information and capture packets off the wire.
• Third Party Connection Agreement and Encryption
  Policy

20
Composite Attacks

• Worms, Viruses and Trojans
• The second most serious threat to Community Bank
  is worms, viruses and Trojans
• Worms typically attack the organization
  externally but employees (and other insiders)
  introduce viruses and Trojans to the organization
  
• Internet and email usage policy and guidelines
  b) Hardening and patching policy c) Virus
  Protection and Software Use policy

21
Identity Spoofing

• Policy Password Security Policy
• Enforce password history
• Maximum and minimum password age
• Minimum password length and complexity
  requirements
• Account lockout policies

22
Flooding

• Denial of Service and DDOS
• Email
• SYN Flood
• The company must establish an agreement with the
  service provider to mitigate flood attacks

23
Other Policies

• Incident Response Plan
• Patching Policy for Internal and External
  Networks
• Disaster Recovery Plan
• Portable Computer Security Policy

24
Proposed Design

• Establish a formal DMZ
• Separate servers
• Classify the network

25
Proposed Design
DMZ
26
Proposed Design - NIDS

• Signiture-Based NIDS
• A programmed match of known attack patterns
• Anomaly-Based NIDS
• CPU utilization
• File usage
• User logins
• Other activities

27
Proposed Design - Firewalls

• Telecom Firewall
• Detect
• Log
• Alarm
• Block

28
Proposed Design - VPN

• Concerns for VPN Client
• Always-On nature of broadband Internet
  connections
• Installation of personal firewalls
• Antivirus software
• The remote PC itself

29
Proposed Design - Servers

• Separate servers
• Public servers
• Internal servers
• Separate data
• Customer Data
• HR Data
• Finance Data
• etc

30
Proposed Design - Multiple Level of Trust
Untrusted
Trusted
Unknown
31
Proposed Design Others

• Mail Sweeper
• External email server
• URL Filter
• Block the users to access Internet

32
Migration Strategy

• Hardening the DMZ
• Configure Network Devices
• Encrypt all communication over WAN
• Board of Directors review and approve all
  policies and procedures

33
Migration Strategy - DMZ

• Stateful Firewall
• Login Restrict (authenticate)
• Use SSH
• Logging
• Signature-Based NIDS
• Enable logging
• Use SSH
• Disable unneeded services

34
Migration Strategy - DMZ

• Public Servers
• Web Server
• Use port 80 (HTTP)
• Close ports
• Email server
• Use port 110 (POP) and port 25 (SMTP)
• Close ports
• The latest anti-virus software

35
Migration Strategy - VPN

• IPsec
• Use 3 DES
• No split tunneling
• Topology of hub and spoke

36
Migration Strategy - WAN

• Use 3DES for Frame Relay
• Comply to GLB

37
Migration Strategy - Report

• All policy and procedures should be reviewed and
  approved by the Board of Directors
• Network design should be reviewed and approved by
  the Board of Directors
• Penetration testing should be scheduled

38

• Questions?

39
Class Questions

• What is the goal of the Gramm Leach Bliley Act?

40
Class Questions

• Answer Question 1
• Requires financial institutions to protect
  nonpublic personal information from unauthorized
  disclosure, misuse, alteration or destruction.

41
Class Questions

• This act was created to address the accounting
  scandals brought on by Enron and WorldCom?

42
Class Questions

• Answer Question 2
• Sarbanes-Oxley