• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Backend banking applications security & audit

I'm looking for articles that outline what are the areas to audit
in backend banking apps (not front-end like ATM) : things like
if https or ssl is being used, sensitive data files' access (esp
corporate banking as I'm not dealing with private banking)
are being controlled with audit trail (that indicates who, at
what time & purpose of access) : any specific implementation
examples and tools used would be good
  • 2
3 Solutions
btanExec ConsultantCommented:
I suggest PA-DSS checklist

E.g. PA-DSS Requirements and Security Assessment Procedures
1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
2. Protect stored cardholder data
3. Provide secure authentication features
4. Log payment application activity
5. Develop secure payment applications
6. Protect wireless transmissions
7. Test payment applications to address vulnerabilities
8. Facilitate secure network implementation
9. Cardholder data must never be stored on a server connected to the Internet
10. Facilitate secure remote access to payment application.
11. Encrypt sensitive traffic over public networks
12. Encrypt all non-console administrative access
13. Maintain instructional documentation and training programs for customers, resellers, and integrators

Superficially in SSL use you can see the below extract
5.4 The payment application must only use or require use of necessary and secure services, protocols, daemons, components, and dependent software and hardware, including those provided by third parties, for any functionality of the payment application (for example, if NetBIOS, filesharing, Telnet, FTP, etc., are required by the application, they are secured via SSH, S-FTP, SSL, IPSec, or other technology).
11.1 If the payment application sends, or facilitates sending, cardholder data over public networks, the payment application must support use of strong cryptography and security protocols (for example, SSL/TLS, Internet protocol security (IPSEC), SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks
12.1 Instruct customers to encrypt all non-console administrative access with strong cryptography, using technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
...and PCI-DSS' requirement 6 (Develop and maintain secure systems and application), can check out the "Prioritized Approach Tool Version 2.0" xls found below
Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP and CCIPCommented:
Some thoughts:

· Consider future prospects of Information Systems changes.
· Accessing the Information Systems and what sort of rights do they have.
· Segregation of duties RAM (Responsibility Assignment Matrix)
· Think about the back up. I.e. frequency, storage media etc.
· Important aspect will be the disaster recovery plan and system recovery.

btanExec ConsultantCommented:
Agreed, role based and least privileged scheme for identity mgmt needs to be considered, we wouldnt want the sysadmin to have superuser unnecessarily and esp those contractor having that rights (which they shouldnt). The repeat of "snowden" saga reminds us that insider threats are very real and turning audit log will not make great impact w/o continuous monitoring of the log piping to SIEMS or SOC to make sure anomalies are flagged and escalated. It may not be totally prevented but at least deterrence is a good showing to those perpetrator.

Common Sense Guide to Mitigating Insider Threats

Another two more I see as potential threats are data leakage and mobile appl emergence for payment appl, and they are self explanatory in the sort of dangers, below are some references for info

Controlling the Malicious Use of USB Media

PCI Mobile Payment Acceptance Security Guidelines

4.2 Create server-side controls and report unauthorized access.
Develop the overall payment-acceptance solution to include capabilities for preventing and reporting unauthorized access attempts, identifying and reporting abnormal activity, and discontinuing access (i.e., the payment-acceptance solution would prevent further access by the mobile payment-acceptance app on that device until an administrator restores access). Controls include, but are not limited to:

¿ -Support for authorized access (e.g., access control list)
¿- Ability to monitor events and to distinguish normal from abnormal events
¿-Ability to report events (e.g., via a log, message, or signal) including cryptographic key changes, escalation of privileges, invalid login attempts exceeding a threshold, updates to application software or firmware, and similar actions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now