Defcon Wrap Up

August 7, 2009

Defcon finished last weekend and I’ve had nearly a week to execute my final post on this event. It has been tough to formulate my thoughts for my message is sobering. This blog is written primarily for a readership composed of community size banks and credit unions. My dilemma is how to tell them (YOU) that the “hacker” world is technically advanced, internally cooperative, curiously motivated, and unimpeded by corporate “talk” of security and controls. In other words, banks and credit unions, if you merely give security and controls lip service for compliance purposes, you may suffer dearly.

Fortunately the overwhelming majority of Defcon talks that revealed new exploits, new exploit methods, and/or even forward looking attack vectors were presented by those interested in mitigating the vulnerabilities rather than executing them on unsuspecting organizations. Nearly every speaker spoke of “responsible disclosure” that would give vendors a chance to patch issues before public disclosure.

The Con really cemented in my mind the need for every community bank and credit union to up the ante. Here is my take… there should be universal voluntary participation by every financial institution to:

• invest in patch management practices that ensure all systems are updated with all critical security patches within 7 days of release (down from the 30 days I recommended before last week)

• firewall ALL external network connections including those to “trusted” vendors and partners (and tune firewalls to specifically allow only those inbound and outbound packets that are required for business)

• disallow the use of hand held devices for business purposed OR have 100% control on the content, configuration and management of those devices (different view than I had before last week)

• subscribe to and regularly act upon security research. (Defcon talks demonstrated that ssl is often trivially broken, cloud computing is certainly suspect, and virtualization could introduce security vulnerability.)

Speaking of security research, TrustCC will be embarking on an effort to keep our clients better informed about emerging security research. So if you are not already subscribed to this Blog through RSS, you should be.

As I reflect on the real risks spoken of and demonstrated at Defcon, I am gravely concerned that regulatory agencies are so distracted by financial safety and soundness issues. These issues are certainly worthy of tremendous attention, but not at the expense of the “less squeaky wheel” of IT controls. It is my hope that regulatory agencies will raise the level of IT oversight in order to better assure our banking system can thwart emerging and current attack vectors, for if consumer confidence is lost, the banking system goes away. Can you imagine?

– TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: