BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance



Similar documents
ISO27001 compliance and Privileged Access Monitoring

The Business Benefits of Logging

The syslog-ng Store Box 3 F2

The syslog-ng Store Box 3 LTS

PCI DSS compliance and log management

Performance Guideline for syslog-ng Premium Edition 5 LTS

Shell Control Box 3 F5

Projectplace: A Secure Project Collaboration Solution

syslog-ng Store Box PRODUCT DESCRIPTION Copyright BalaBit IT Security All rights reserved.

syslog-ng Product Line

Distributed syslog architectures with syslog-ng Premium Edition

Shell Control Box 4 LTS Product Description

2: Do not use vendor-supplied defaults for system passwords and other security parameters

The syslog-ng Premium Edition 5LTS

Remote Access Security

Shell Control Box 4 F2 Product Description

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

The Benefits of SSL Content Inspection ABSTRACT

The syslog-ng Premium Edition 5F2

IBX Business Network Platform Information Security Controls Document Classification [Public]

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS

Hang Seng HSBCnet Security. May 2016

A brief on Two-Factor Authentication

PCI Compliance Auditing and Forensics with Tectia Guardian

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Technology Risk Management

Drawbacks to Traditional Approaches When Securing Cloud Environments

ISO COMPLIANCE WITH OBSERVEIT

Security Whitepaper: ivvy Products

The Comprehensive Guide to PCI Security Standards Compliance

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

LogRhythm and PCI Compliance

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

CorreLog Alignment to PCI Security Standards Compliance

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

How To Protect A Web Application From Attack From A Trusted Environment

FormFire Application and IT Security. White Paper

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Information Technology Branch Access Control Technical Standard

Guideline on Auditing and Log Management

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Windows Quick Start Guide for syslog-ng Premium Edition 5 LTS

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

Standard: Event Monitoring

HIPAA. considerations with LogMeIn

Achieving PCI-Compliance through Cyberoam

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

SonicWALL PCI 1.1 Implementation Guide

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

White Paper How Noah Mobile uses Microsoft Azure Core Services

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

How To Buy Nitro Security

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

CA Technologies Solutions for Criminal Justice Information Security Compliance

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

The Education Fellowship Finance Centralisation IT Security Strategy

Did you know your security solution can help with PCI compliance too?

Security Controls for the Autodesk 360 Managed Services

Clavister InSight TM. Protecting Values

How To Secure Your System From Cyber Attacks

The Essential Security Checklist. for Enterprise Endpoint Backup

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Security Basic Concepts

Adobe Systems Software Ireland Ltd

Global Partner Management Notice

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Additional Security Considerations and Controls for Virtual Private Networks

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

ObserveIT User Activity Monitoring

LogMeIn HIPAA Considerations

CISCO IOS NETWORK SECURITY (IINS)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Regulations on Information Systems Security. I. General Provisions

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Top tips for improved network security

Transcription:

GUARDING YOUR BUSINESS BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance www.balabit.com

In 2008, the Monetary Authority of Singapore (MAS), the country s central bank, published version three of the Internet Banking and Technology Risk Management Guidelines (IBTRM). Internet banking systems and related online technologies have become increasingly complex, sophisticated and diverse. The updated version of IBTRM contains expanded guidance for combating cyber threats and attacks, including emerging cyber exploits. Banks offering or delivering products and services via the internet or other telecommunication networks are expected to implement systems, procedures and processes to establish a sound and robust technology risk management framework, strengthen system security, reliability, availability and recoverability, and deploy strong cryptography and authentication mechanisms to protect customer data and transactions. The MAS continually appraises the adequacy of banks risk management practices and internal control systems and processes and has the authority to take action against banks that do not meet the guidelines. Banks not complying with the guidelines face serious consequences. How BalaBit can help with IBTRM compliance? Log Management Collecting and managing the log messages generated by devices and applications such as firewalls and intrusion prevention systems forms an important part of ensuring security and availability. In fact, system logging is explicitly required in the IBTRM. BalaBit s syslog-ng solution is the most widespread universal log management tool in the world. Using syslog-ng banks can fulfill the security and control objectives set out in section four of the IBTRM. 4.0 IBTRM Guideline Security Objectives How syslog-ng Premium Edition supports it? 4.1 Data Confidentiality - The bank s online systems should employ a level of encryption appropriate to the type and extent of risk present in its networks, systems and operations. Log messages may contain sensitive information and private data such as passwords and usernames. It is important that they are protected against eavesdropping when transmitted over the network. The integrity of the message must be also maintained so that no unauthorized modification of the message is possible. To address these issues, the syslog-ng PE application uses the secure Transport Layer Security (TLS) protocol to encrypt the communication with the server, and authenticates both the client and the server using X.509 certificates.

4.2 System Integrity - Banks should install monitoring or surveillance systems that would alert them to any erratic system activities or unusual online transactions taking place. 4.3 System Availability - Management is expected to have in place procedures and monitoring tools to track system performance, server processes, traffic volumes, transaction duration and capacity utilization on a continual basis to ensure a high level of availability of their internet banking services. 4.4 Customer and Transaction Authenticity - In view of the proliferation and diversity of cyber attacks, banks should implement two-factor authentication at login for all types of internet banking systems and for authorizing transactions. The principal objectives of twofactor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating phishing, keylogging, spyware, malware, middleman attacks and other internet-based scams and malevolent exploits targeted at banks and their customers. 4.5 Customer Protection - Customer protection is of paramount importance in internet banking. The bank must ensure that a customer is properly identified and authenticated before access to sensitive customer information or online banking functions is permitted. Sensitive customer information includes customer personal particulars or account details that could be used to identify a customer. Collecting and transferring log messages which track successful and unsuccessful authentication and authorization attempts form the backbone of a robust monitoring and surveillance system. syslog-ng Premium Edition can rapidly collect log messages and securely and reliably transfer them to a central log server or third party log analysis tool. Log messages from devices and applications throughout a network contain important information on the health of IT systems. Harnessing the information contained in the millions of log messages gernerated by a wide variety of sources is critical to ensuring system availability. syslog-ng can collect, filter, classify and normalize log messages from a wide variety of sources throughout the network and store them in a central log server. Log messages can be transferred with zero message loss ensuring the integrity of important data about system performance. Online banking applications generate log messages detailing customer login and logout status. syslog-ng can process log messages from a wide variety of sources, even custom applications, in real-time and forward them to database destinations or third party log analysis tools. Given the importance of log messages containing customer authentication status, no messages can be lost during collection and processing. syslog-ng Premium Edition ensures zero message loss with adaptive message rate flow control, client-side disk buffering, and client-side failover. Logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. syslog-ng PE protects these messages by storing them in an encrypted file instead of plain text files commonly used to store log messages. It is also possible to rewrite messages and automatically remove sensitive customer data using the message-rewriting capabilities of syslog-ng.

Privileged Activity Monitoring In sections 5.0 and 8.0 of the IBTRM sets out security guidelines on Human Resource Management and Outsourcing Management. Internet security ultimately relies on trusting a small group of skilled personnel, who must be subject to proper checks and balances. In its guidance, the MAS recognizes the fact that system administrators, IT security officers, programmers and outsourcing providers performing critical operations invariably possess the capability to inflict severe damage on the internet banking systems by virtue of their job functions and privileged access. Consequently, their duties and access to systems resources must be placed under close scrutiny. BalaBit Shell Control Box (SCB) can be a solution for the this challenge, as it is an activity monitoring appliance that controls access to remote system resources, and records the activities of the users accessing these systems. IBTRM Guideline How BalaBit s Shell Control Box supports it? 5.1 HUMAN RESOURCE MANAGEMENT 5.1.2 a) Never alone principle Certain systems functions and procedures are of such sensitive and critical nature that they should be jointly carried out by more than one person or performed by one person and immediately checked by another. 5.1.2 b) Segregation of duties principle Responsibilities and duties that should be separated and performed by different groups of personnel are operating systems function, systems design and development, application maintenance programming, computer operations, database administration, access control administration, data security, librarian and backup data file custody. To avoid accidental misconfiguration and other human errors, SCB supports the 4-eyes authorization principle. This is achieved by requiring an authorizer to allow the administrators to access the server. The authorizer also has the possibility to monitor the work of the administrator real-time, just like they were watching the same screen. SCB provides a way to control and audit access to remote servers independently from the users and the server administrators, allowing you to create a separate auditor layer above system administrators. This helps to segregate IT maintenance and IT security. With SCB, user-mapping policies can be defined, as well. A user-mapping policy describes who can use a specific username to access the remote server: only members of the specified local or LDAP usergroups (for example administrators) can use the specified username (for example root) on the server.

5.1.2 c) Access control principle Access rights and system privileges must be based on job responsibility and the necessity to have them to fulfill one s duties. Only employees with proper authorization should be allowed to access confidential information and use system resources solely for legitimate purposes. 5.1.7 Personnel with elevated system access entitlements should be closely supervised with all their systems activities logged as they have the inside knowledge and the resources to circumvent systems controls and security procedures. SCB is an enforcement point for company policies so only authorized personal can access critical assets. SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used, or the type of channels permitted in SSH or RDP connections. Also, SCB can authenticate the users to an external user directory. SCB can enforce two-factor authentication, as well. SCB records all remote working sessions into searchable audit trails, making it easy to find relevant information in forensics or other situations. It replays the recorded sessions just like a movie all actions of the administrators can be seen exactly as they appeared on their monitor. It is an independent device that operates transparently, and extracts the audit information directly from the communication of the client and the server. This prevents anyone from modifying the audited information not even the administrator of SCB can tamper the audit trails, which are timestamped, encrypted, and signed. 8.2 MONITORING OUTSOURCING ARRANGEMENTS 8.2.1 A process of monitoring service delivery, performance reliability and processing capacity of the service provider should also be established for the purpose of gauging ongoing compliance with agreed service levels and the viability of its operations. SCB is an independent device that can reliably monitor all external administrative activities. It gives organizations the possibility to oversee and audit third party providers, and is also a great tool to evaluate their effectiveness. Consequently, control over SLA - and billable activities can be improved, as the fulfillment of the services can be verified. The recorded audit trails can be used as evidence to settle any accountability issues about the remotely administered systems which is common interest of both the customer and the IT provider. SCB provides detailed info in troubleshooting and forensics situations to quickly uncover the root causes of incidents.

About BalaBit BalaBit IT Security is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the syslog-ng company, based on the company s flagship product, the open source log server application, which is used by more than 650,000 companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the second fastest-growing IT Security company in the Central European region according to the Deloitte Technology Fast 50 (2010) list, has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. Shell Control Box homepage syslog-ng homepage Request a callback www.balabit.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information