BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance

Transcription

1 GUARDING YOUR BUSINESS BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance

2 In 2008, the Monetary Authority of Singapore (MAS), the country s central bank, published version three of the Internet Banking and Technology Risk Management Guidelines (IBTRM). Internet banking systems and related online technologies have become increasingly complex, sophisticated and diverse. The updated version of IBTRM contains expanded guidance for combating cyber threats and attacks, including emerging cyber exploits. Banks offering or delivering products and services via the internet or other telecommunication networks are expected to implement systems, procedures and processes to establish a sound and robust technology risk management framework, strengthen system security, reliability, availability and recoverability, and deploy strong cryptography and authentication mechanisms to protect customer data and transactions. The MAS continually appraises the adequacy of banks risk management practices and internal control systems and processes and has the authority to take action against banks that do not meet the guidelines. Banks not complying with the guidelines face serious consequences. How BalaBit can help with IBTRM compliance? Log Management Collecting and managing the log messages generated by devices and applications such as firewalls and intrusion prevention systems forms an important part of ensuring security and availability. In fact, system logging is explicitly required in the IBTRM. BalaBit s syslog-ng solution is the most widespread universal log management tool in the world. Using syslog-ng banks can fulfill the security and control objectives set out in section four of the IBTRM. 4.0 IBTRM Guideline Security Objectives How syslog-ng Premium Edition supports it? 4.1 Data Confidentiality - The bank s online systems should employ a level of encryption appropriate to the type and extent of risk present in its networks, systems and operations. Log messages may contain sensitive information and private data such as passwords and usernames. It is important that they are protected against eavesdropping when transmitted over the network. The integrity of the message must be also maintained so that no unauthorized modification of the message is possible. To address these issues, the syslog-ng PE application uses the secure Transport Layer Security (TLS) protocol to encrypt the communication with the server, and authenticates both the client and the server using X.509 certificates.

3 4.2 System Integrity - Banks should install monitoring or surveillance systems that would alert them to any erratic system activities or unusual online transactions taking place. 4.3 System Availability - Management is expected to have in place procedures and monitoring tools to track system performance, server processes, traffic volumes, transaction duration and capacity utilization on a continual basis to ensure a high level of availability of their internet banking services. 4.4 Customer and Transaction Authenticity - In view of the proliferation and diversity of cyber attacks, banks should implement two-factor authentication at login for all types of internet banking systems and for authorizing transactions. The principal objectives of twofactor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating phishing, keylogging, spyware, malware, middleman attacks and other internet-based scams and malevolent exploits targeted at banks and their customers. 4.5 Customer Protection - Customer protection is of paramount importance in internet banking. The bank must ensure that a customer is properly identified and authenticated before access to sensitive customer information or online banking functions is permitted. Sensitive customer information includes customer personal particulars or account details that could be used to identify a customer. Collecting and transferring log messages which track successful and unsuccessful authentication and authorization attempts form the backbone of a robust monitoring and surveillance system. syslog-ng Premium Edition can rapidly collect log messages and securely and reliably transfer them to a central log server or third party log analysis tool. Log messages from devices and applications throughout a network contain important information on the health of IT systems. Harnessing the information contained in the millions of log messages gernerated by a wide variety of sources is critical to ensuring system availability. syslog-ng can collect, filter, classify and normalize log messages from a wide variety of sources throughout the network and store them in a central log server. Log messages can be transferred with zero message loss ensuring the integrity of important data about system performance. Online banking applications generate log messages detailing customer login and logout status. syslog-ng can process log messages from a wide variety of sources, even custom applications, in real-time and forward them to database destinations or third party log analysis tools. Given the importance of log messages containing customer authentication status, no messages can be lost during collection and processing. syslog-ng Premium Edition ensures zero message loss with adaptive message rate flow control, client-side disk buffering, and client-side failover. Logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. syslog-ng PE protects these messages by storing them in an encrypted file instead of plain text files commonly used to store log messages. It is also possible to rewrite messages and automatically remove sensitive customer data using the message-rewriting capabilities of syslog-ng.

4 Privileged Activity Monitoring In sections 5.0 and 8.0 of the IBTRM sets out security guidelines on Human Resource Management and Outsourcing Management. Internet security ultimately relies on trusting a small group of skilled personnel, who must be subject to proper checks and balances. In its guidance, the MAS recognizes the fact that system administrators, IT security officers, programmers and outsourcing providers performing critical operations invariably possess the capability to inflict severe damage on the internet banking systems by virtue of their job functions and privileged access. Consequently, their duties and access to systems resources must be placed under close scrutiny. BalaBit Shell Control Box (SCB) can be a solution for the this challenge, as it is an activity monitoring appliance that controls access to remote system resources, and records the activities of the users accessing these systems. IBTRM Guideline How BalaBit s Shell Control Box supports it? 5.1 HUMAN RESOURCE MANAGEMENT a) Never alone principle Certain systems functions and procedures are of such sensitive and critical nature that they should be jointly carried out by more than one person or performed by one person and immediately checked by another b) Segregation of duties principle Responsibilities and duties that should be separated and performed by different groups of personnel are operating systems function, systems design and development, application maintenance programming, computer operations, database administration, access control administration, data security, librarian and backup data file custody. To avoid accidental misconfiguration and other human errors, SCB supports the 4-eyes authorization principle. This is achieved by requiring an authorizer to allow the administrators to access the server. The authorizer also has the possibility to monitor the work of the administrator real-time, just like they were watching the same screen. SCB provides a way to control and audit access to remote servers independently from the users and the server administrators, allowing you to create a separate auditor layer above system administrators. This helps to segregate IT maintenance and IT security. With SCB, user-mapping policies can be defined, as well. A user-mapping policy describes who can use a specific username to access the remote server: only members of the specified local or LDAP usergroups (for example administrators) can use the specified username (for example root) on the server.

5 5.1.2 c) Access control principle Access rights and system privileges must be based on job responsibility and the necessity to have them to fulfill one s duties. Only employees with proper authorization should be allowed to access confidential information and use system resources solely for legitimate purposes Personnel with elevated system access entitlements should be closely supervised with all their systems activities logged as they have the inside knowledge and the resources to circumvent systems controls and security procedures. SCB is an enforcement point for company policies so only authorized personal can access critical assets. SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used, or the type of channels permitted in SSH or RDP connections. Also, SCB can authenticate the users to an external user directory. SCB can enforce two-factor authentication, as well. SCB records all remote working sessions into searchable audit trails, making it easy to find relevant information in forensics or other situations. It replays the recorded sessions just like a movie all actions of the administrators can be seen exactly as they appeared on their monitor. It is an independent device that operates transparently, and extracts the audit information directly from the communication of the client and the server. This prevents anyone from modifying the audited information not even the administrator of SCB can tamper the audit trails, which are timestamped, encrypted, and signed. 8.2 MONITORING OUTSOURCING ARRANGEMENTS A process of monitoring service delivery, performance reliability and processing capacity of the service provider should also be established for the purpose of gauging ongoing compliance with agreed service levels and the viability of its operations. SCB is an independent device that can reliably monitor all external administrative activities. It gives organizations the possibility to oversee and audit third party providers, and is also a great tool to evaluate their effectiveness. Consequently, control over SLA - and billable activities can be improved, as the fulfillment of the services can be verified. The recorded audit trails can be used as evidence to settle any accountability issues about the remotely administered systems which is common interest of both the customer and the IT provider. SCB provides detailed info in troubleshooting and forensics situations to quickly uncover the root causes of incidents.

6 About BalaBit BalaBit IT Security is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the syslog-ng company, based on the company s flagship product, the open source log server application, which is used by more than 650,000 companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the second fastest-growing IT Security company in the Central European region according to the Deloitte Technology Fast 50 (2010) list, has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. Shell Control Box homepage syslog-ng homepage Request a callback