RE: Bank Audit Best practices

From: Gault, Brian (brian.gault@greenwichtech.com)
Date: Tue Mar 23 2004 - 09:43:24 EST


Mike, please don't take offense to this response, but with all due respect,
you are sincerely and totally wrong. If the processor gets nailed with SQL
Slammer, or anything else nasty and fast spreading, and there are no
controls as to what traffic is limited from their network back to the bank's
network, BAM!! (a little Emerald humor)- they have just infected the bank's
network, possibly resulting in loss of the bank's ATM machines (like SLAMMER
did to the LARGEST bank in the world, BANK ONE), DoS against some of the
bank's mission critical servers, and a whole ton of pain, heartache, lost
production hours and costs associated with any cleanup.

Thanks,
Brian G.

-----Original Message-----
From: Mike Shaw
To: dante@webcti.com; pen-test@securityfocus.com; keithp@corp.ptd.net
Sent: 3/22/2004 3:24 PM
Subject: RE: Bank Audit Best practices

On Mon, 22 Mar 2004 04:34:46 -0800 Keith Pachulski <keithp@corp.ptd.net>
wrote:
>Hey Dante
>
>I have run into this on numerous occasions while doing some consulting
>and have always with 100% failure caused them to realize the potential
>threat of this design.

Here's the issue: What is the threat? If all the customer/member data
resides at the processor, then what can an attacker do to an institution
via the processor that hasn't already been compromised?

Many small institutions also use the processor for mail storage and
other
services. It's also common for a processor to perform other services
such as workstation tech support. What is the benefit to firewalling
off a bunch of workstations?

In many many cases, a firewall at the institution looks great on paper,
 and might garner some consulting dollars...but it doesn't really *do*
anything for risk management.

-Mike

------------------------------------------------------------------------

---
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT