RE: Bank Audit Best practices

["Pete Herzog" <pete () isecom org>]

Dante,

Your advice to the banks is sound and one that would fit with best
practices.  However, this is one of those cases where business
justification trumps best practice.  One suggestion I have made is
that the connection be acessible from only those computers which need
access through a seperate network cable and seperate network rather
than the bank's intranet.  This is "safer" for both. And actually,
it's something I have been seeing more and more of now.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org



> -----Original Message-----
> From: Dante Mercurio [mailto:Dante () webcti com]
> Sent: Wednesday, March 17, 2004 15:07 PM
> To: pen-test () securityfocus com
> Subject: Bank Audit Best practices
>
>
> I'm looking for some feedback from other people who conduct security
> audits and penetration tests on banks.
>
> One of the network aspects I come across a lot is a direct
> line to their
> transaction processor. This is often in the form of a
> point-to-point or
> frame line that is dropped onsite with a router controlled by the
> processor, not the bank. I always point out that this is a network
> security risk, as there is no control from the bank side
> regarding the
> access provided through that line, and recommend an ACL or
> departmental
> firewall at that point.
>
> As always, the administrators look at me like I recommended
> them selling
> their firstborn. The relationship between the bank and
> their processor
> is very symbiotic as the bank couldn't even exist without their
> services, yet my perspective is any outside system should go through
> some level of border security in order to monitor and
> restrict traffic.
>
> Anyone run into this? How do you handle?
>
> M. Dante Mercurio
> dante () webcti com
> Consulting Group Manager
> Continental Technologies, Inc
> www.webcti.com
>
> ------------------------------------------------------------
> ---------------
> Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545 off
> any course! All of our class sizes are guaranteed to be 10
> students or less
> to facilitate one-on-one interaction with one of our expert
> instructors.
> Attend a course taught by an expert instructor with years
> of in-the-field
> pen testing experience in our state of the art hacking lab.
> Master the skills
> of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_trai
ning.html
----------------------------------------------------------------------
------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------