To achieve compliance, GLBA requires a financial institution to have an independent test of their Firewall's ability to protect their internal network once a year. This is managing their internet exposure. An annual test is performed, the regulator is shown the invoice and report that the Firewall rules are protecting the firm, compliance is achieved. Then a breach occurs and Management is "shocked that there is gambling in this cafe!".
Let's look at some facts. In my humble experience, an Internet facing firewall is "pinged" about 11 times every second, 24 hours a day, 7 days a week by robots looking to identify and place a marker for later exploitation. OK - the math 60 seconds in one minute, 60 minutes in an hour and 24 hours in a day gives us 950,400 "pings" every 24 hours [11per second*60*60*24= 950,400] knocks on the Firewall door every 24 hours.
So when Jim, our Network Engineer par excel lance makes an adjustment to our firewall rules to accommodate new business - at 10 AM Wednesday morning - and accidentally creates an interaction with existing rules that creates a vulnerability to the Internet - How long before we find this opening and do we find it before the hackers do, becomes the question.
The answer is that under the annual vulnerability testing scenario it could be up to a year before this vulnerability is discovered. If this is unacceptable then we can strengthen our control over a firewall and contract with a third party like Verizon to scan our Firewall every 24 hours and send us an email to report the status. Under this control model, Jim makes the rule change at 10 AM, and Verizon scans our Firewall at 02:30, and sends Jim an email notifying him of the vulnerability - that he opens when he checks his email the next morning. He acts on the email and corrects the Firewall rules by 10 AM, Thursday morning. So, our network was exposed to almost a million "knocks at the door" because of our improved risk management approach. Are we actually managing our Telecommunications perimeter risk effectively? I think not!
Penny Wise?
Turns out that there are real time software products that evaluate proposed changes to your telecommunications perimeter / Firewall rules as you are making the change - and let you know if there is a potential vulnerability due to your actions. AlgoSec and Manage Engine are providers of these tools - though there are others. For a small price, this tool can be installed and it will alert Jim at 10:01 AM, just before he makes his rule change in production. Jim - so advised can correct the rule before it ever is pushed to production - actually managing the risks of Internet perimeter security effectively!This approach, COMBINED with an 24 hour or annual vulnerability test program and an Intrusion Detection System, you can actually stand before the Board and report that a breach due to a telecommunication perimeter security failure is acceptably unlikely. You are managing this risk.
No comments:
Post a Comment