SynerComm Blog

Mobility requires next-generation access without regard to user physical location. And today’s user- owned or “bring your own device (BYOD)” environment is fueled by multiple device operating system platforms including devices which run on Android or Apple iOS.  Mobile “anywhere” user-access needs to support multiple device types. The way next-generation mobility is first enabled is through the access layer which is delivered through several alternative approaches/architectures.

(or 10 Tips for Securing your Web Application)

The list below covers the most common weaknesses we find when conducting web application pen tests or vulnerability assessments. Click here to learn more about SynerComm’s AssureIT Penetration Testing and Assessment services or to request a quote.

Yesterday the FFIEC released their update to the 2005 Online Banking Guidance - titled "Supplement to Authentication in an Internet Banking Environment".  Below are some first impressions.

As expected, the guidance focuses on Commercial online banking services.  This is because the majority of online banking fraud has occurred through Commercial banking platforms, which allow for higher risk transactions such as ACH and Wire.  The guidance suggests that FI's "recognize and address the fact that not every online transaction poses the same level of risk.   Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases.  They go on to suggest that layered security is appropriate for consumer access (I read into this that they do not seem to expect strong multifactor authentication for consumer access) but multifactor is recommended for Commercial platforms.

I’d been hearing some buzz around FireEye on the security mailing lists and such, but with most of the the constant influx of “new security product” info I’d been ignoring it. Now I’ve seen it in action at some of our clients’ sites and I’m impressed with it.

The essence of the FireEye product is different from every other security appliance or software out there. The FireEye appliance has a stack of virtual machines including many flavors of Windows operating systems and many targeted applications like Java, Adobe, Windows media, and Office. The FireEye sniffs HTTP traffic off the wire, and takes anything that looks like it could be suspicious code and tries to execute it within the applications and operating systems in its virtual machines.

This blog posting will describe the evolution of authentication techniques commonly applied to online financial applications, including some of the benefits and drawbacks of the common methodologies.

User ID and Password

The most common authentication mechanism in use on the web today is a user ID and a password. This is considered “single factor authentication” because there is only one aspect (the password) that a bad-guy needs to compromise to break the authentication system.

In 2005 the FFIEC came out with a very strong guidance statement that said “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.“ This caused financial institutions and their service providers to quickly begin to work to implement stronger controls.

There is a lot of information available on the Internet about Banking Trojans and the recent trend of online bank account attacks.  In this article we provide a brief overview and then focus on the points of failure that allow these fraud attacks to occur.

This blog posting is meant to help individuals who need to conduct or update their online banking risk assessment in compliance with the new FFIEC guidance that is expected to be released soon, and maybe need a framework or a place to start. This article will walk through how the FFIEC’s framework for an Information Security Risk Assessment, available from the FFIEC handbook at http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment.aspx, could be used as a basis for an online banking risk assessment.

In 2001 the FFIEC issued guidance titled “Authentication in an Electronic Banking Environment” which provided banks an overview of risk and expectations for risk management controls in an Online Banking environment.  In 2005 the FFIEC issued an update to this guidance titled “Authentication in an Internet Banking Environment”.  The 2005 Guidance provided additional expectations, and in particular went as far as to specifically say that single factor authentication is inadequate for high risk transactions.

In the near future, the FFIEC is expected to release another update to this guidance for 2011.

Thursday Feb 3rd, 2011, as the most of the United States unburied itself from one of the largest blizzards in decades, a few news agencies like CNN and the AP put out a story that made the bottom of any list of headlines.  To most people it’s not a big deal.  To those of us that were around for the real birth of the Internet it’s a HUGE deal.

On Thursday, the primary issuing agency for IP addresses gave out the last unallocated block of IP’s to APNIC (Asia) for assignment.  This means that essentially there are no major blocks of IPs left in the original pool of IPv4 space.

My name is Brian Lemm, and I started working for SynerComm four weeks ago. Until then I knew that Juniper had a network line, but I came from eleven years at a large fortune 500 company that is a Cisco-exclusive shop. This is not going to be a Cisco versus Juniper entry – I just wanted to give a little info on my background (just saying I’ve been around the block a few times).

Switches switch and routers route. If a networking manufacturer didn’t do those two things well they wouldn’t still be in business… Even equipment that is off the retail shelf will do that. So personal preference plays a big role in deciding which vendor to chose. When I started at SynerComm, I hadn’t touched a Juniper device, so when I was given the opportunity to tag along to some installs I jumped at the opportunity. New technology? Sign me up!

One of the things that continues to surprise me as I work in security consulting is the extraordinary amount of businesses that struggle with IT security.