ECKLER FS TECHNOLOGY APPLICATIONS SECURITY CONTROLS. General Security Controls for Products & Services (Updated )

Transcription

1 ECKLER FS TECHNOLOGY APPLICATIONS SECURITY CONTROLS General Security Controls for Products & Services (Updated )

2

3 TABLE OF CONTENTS 1. EXECUTIVE SUMMARY FS TECHNOLOGY APPLICATIONS espace ingenius foreward renaissance 2 3. SECURITY CONTROLS Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Servers and Virtual Machines Continuous Vulnerability Assessment and Remediation Malware Defences Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices (Firewalls, Routers, and Switches) Limitation and Control of Network Ports, Protocols, and Services Controlled User of Administrative Privileges Boundary Defence Maintenance, Monitoring, and Analysis of Security Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response Capability Secure Network Engineering Penetration Testing QUESTIONS TOC (i) [ Table of Contents ]

4

5 1. EXECUTIVE SUMMARY Eckler Ltd. utilizes a variety of advanced technologies and best practices to ensure our client s data is safe. Our security best practices are always a work in progress and continuously evolve to counter new threats and vulnerabilities. This report identifies the security controls currently employed by Eckler Ltd. s Financial Services Group for their internally developed and hosted applications. The environment outlined by this report is the production environment for the applications which are hosted in two datacenter at Eckler Ltd. The production environment is isolated from the rest of Eckler Ltd. and has separate internet connections with separate network infrastructure and hardware. 2. FS TECHNOLOGY APPLICATIONS The FS Technology Applications currently offered by Eckler and to which the present security controls are enforced are limited in number and fully documented espace espace is a "Collaborative Data and Content Management Platform" delivered as a web-based application. It is a fully integrated business toolbox, cross-platform, multi-purpose, web-based application. It equally serves as a very flexible Content Management System (CMS), Files Management system and sftp, Client Relationship Management (CRM) (Panorama) and secure communication system / private server (Conversation). espace is very user-friendly and surprisingly powerful. It can replace other cloud services which are limited in their application and security, or cumbersome to install/maintain. Transferring files and communicating securely has never been so easy by using espace ingenius ingenius is an innovative state-of-the-art life insurance and annuity illustration portal. ingenius is a modern platform, web-based by design, which utilizes the latest and most efficient suite of software, resulting in a very pleasant user experience that achieves business objectives. ingenius includes an underwriting workflow together with a powerful document management system, utilizing its sister web-based tool, espace, to take full advantage of its Cloud capabilities foreward foreward is a web-based application offered as a service platform that allows an insurance carrier to distribute instant issue insurance products through multiple vendors. The platform is developed with the latest web technologies available to provide a user-friendly experience to the customers purchasing the insurance as well as the vendors, and the carrier. The platform supports custom branding for the insurance carrier and / or vendors so the customer is always dealing with a familiar experience. The insurance products can be quoted on a stand-alone basis for simple products such as Term, or can be directly linked to our robust insurance illustration system, ingenius, for products like Universal Life, Whole Life with cash value, and other more complex products. Page 1 [ FS Technology Applications Security Controls]

6 2.4. renaissance Eckler is creating a reinsurance pool, called renaissance, which provides automatic on-call capacity for international offshore insurance carriers offering life insurance products for face amount of USD$2 million to over USD$100 million. The reinsurance rates are fully guaranteed for renaissance and, subject to underwriting approval, the risk must be accepted by each participating Reinsurer. The Reinsurers administrative burden is reduced because, (a) a trust vehicle ( renaissance in Trust ) handles the funds transfer, and (b) renaissance serves as a third party administrator for the reinsurance pool. All of these services are performed through our web-based application. Page 2 [ FS Technology Applications Security Controls]

7 3. SECURITY CONTROLS As part of the Eckler Ltd. s IT security strategy, we have identified 20 key IT Security Controls to further enhance our security posture. The 20 key security controls were originally developed by the US National Security Agency (NSA) in 2008 and is widely used by the US and other government agencies, financial institutions and corporations as a centrepiece for effective IT security programs. By adopting these controls into the daily IT operations with Eckler we are establishing a clearly defined roadmap and agreed upon process for ensuring the safe handling and processing of data. The controls at a glance: Page 3 [ FS Technology Applications Security Controls]

8 3.1. Inventory of Authorized and Unauthorized Devices Reduce the ability of attackers to find and exploit unauthorized systems Use active monitoring and configuration management to maintain up-to-date inventory of devices connected to the production network. Nessus Vulnerability scanner is used to actively scan our networks and discover all machines on the network. The scans are done bi-weekly and reviewed to make sure their are no vulnerabilities due to the configuration of machines or if there are machines that are not part of the authorized list of systems. List of authorized systems is documented in the production environment documentation stored in the configuration project on gitlab. Changes to the document must be approved by the Head of Eckler Ltd. s Financial Services Group s Technology Services (FS Head of Technology), currently Sylvain Goulet Inventory of Authorized and Unauthorized Software Identify vulnerable or malicious software to mitigate or root out attacks Maintain a list of authorized software for each system, utilize tools to track software installed and monitor for unauthorized or unnecessary software. We use a software-audit utility that was internally developed to provide a list of unauthorized software for a system. The utility has a list of approved software for each machine and is ran quarterly. Any changes to the list of approved software is committed to the utility s project on gitlab to track who made the change. Changes to the list of software for a system must have an approval from the FS Head of Technology Secure Configurations for Hardware and Software on Servers and Virtual Machines Prevent attackers from exploiting services and settings that allow easy access through networks and browsers Attackers exploit weak default configurations of systems that are more geared to ease of user than security. Strict configuration management should be followed to prevent attacks by malware looking for systems that were configured with vulnerable software installed. A systematic approach must be adhered to ensure all newly deployed systems are installed with pre-approved software and all patches applied. Additionally, all newly deployed systems must be hardened. This hardening must include removal of unnecessary accounts. Documentation is used to outline the deployment process of a Windows Hypervisor, Windows Virtual Machine, or a Linux Virtual Machine. Upon deploying a new machine a vulnerability scan must be performed and the list of software for that machine must be approved and added to the software-audit utility project. The ip addresses used by the machine and its purpose must also be documented in our Production Environment document. Solutions like Active Directory Group Policies are used to maintain strict configuration of machines in the Production Environment. Regular vulnerability scanning also identifies and vulnerabilities with the configuration of the machines. Page 4 [ FS Technology Applications Security Controls]

9 3.4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with priority given to fixing critical and high vulnerabilities. Nessus Vulnerability Scanner runs a scan of all the machines weekly. The report from the scan is then ed to the Head of Eckler IT (currently Amar Sookram), the FS Head of Technology (currently Sylvain Goulet), and FS principal IT staff (currently Iván Vacacela and Phillip Couto). Changes to the list of vulnerabilities reported are documented in the Vulnerability Scans project on gitlab. Remediations are documented in the issues opened on gitlab to have a paper trail of work done Malware Defences Block malicious code from tampering with system settings or content, capturing sensitive data, or spreading Use automated anti-virus and anti-spyware software to continuously monitor and protect servers. Remediate and vulnerabilities that allow for attackers to control or inject code into the Production environment. Reduce permissions to content uploaded by external users of the applications. Run software in isolated environments to prevent infections from spreading. We currently run ESET anti-virus software that is automatically updated on the entry points to the production environment for the System Administrators. This prevents malicious code on an administrators machine from infecting the production environment. We continuously scan our network for vulnerabilities to remediate any critical or high vulnerabilities in a high priority fashion. Files uploaded by application users are stored in locations that have restrictive permissions to prevent the data accidentally being executed by a System Administrator or process Application Software Security Neutralize vulnerabilities in web-based and other application software Carefully test internally developed and third-party software for security flaws, including coding errors and malware. Acunetix Web Vulnerability Scanner is utilized to run internal scans against the applications on a quarterly basis or before a major update to an application is released into production. All scan results are stored in the Vulnerability Scans project on gitlab. Page 5 [ FS Technology Applications Security Controls]

10 3.7. Wireless Device Control Protect the security perimeter against unauthorized wireless access Wireless devices are prohibited in the production environment. Use tools to identify unauthorized devices within the network that may be a wireless device. Nessus Vulnerability Scanner identifies all network reachable devices within the networks. As the results are reviewed devices discovered by Nessus are compared to the production environment documentation to identify any unauthorized devices. If the unauthorized device is identified as a wireless device it will be removed or blocked immediately Data Recovery Capability Minimize the damage from an attack - effective data recovery is dependent on an effective backup system Use tools to backup application data, operating system images, and application configurations to ensure a rapid and consistent recovery of the system. Regularly test the consistency of the backups to confirm that the data and state of the system can be restored. Utilize physical security and encryption to properly secure the backup data from unauthorized access. All virtual machines not part of distributed clusters are replicated to a replica hypervisor. This ensures a warm backup of the entire virtual machine is on standby in a datacenter. Application data is replicated regularly between the datacenter on different physical machines to ensure there are warm and hot copies of the data in multiple data centres at any given moment. This allows near instantaneous recovery of the system if a datacenter experiences an outage. Application databases are backed up at least every hour to have point in time recovery in the event there is an attack that damages the application data or data loss is caused by a glitch in the system. These backups are stored in the object storage service for up to a year. Application source code is stored on gitlab. Gitlab tracks all the revisions of the source code allowing for rollback to any given point in time for the entire life of the project. Gitlab is backed up daily, backup files are stored in the object storage service for up to a year. Application data backups are tested quarterly to confirm the backups are valid and consistently stored. Virtual machine failures are executed quarterly to test the replica setup and replication is functioning correctly. Page 6 [ FS Technology Applications Security Controls]

11 3.9. Security Skills Assessment and Appropriate Training to Fill Gaps Find knowledge gaps, and fill them with exercises and training Develop security awareness training and communication for all IT staff. IT staff continuously reviews external news sources like blogs, newsletters, message boards, and social media for any new vulnerabilities or methods to improve security of the production environment. Information that is considered valuable or applicable is shared with other staff members to keep everyone informed Secure Configurations for Network Devices (Firewalls, Routers, and Switches) Preclude electronic holes from forming at connection points with the internet, other organizations, and internal network segments Firewall, router, and switch configurations should be compared against standard secure configurations on a regular basis. This security configuration of such devices should be documented and reviewed. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved. The production environment documentation outlines all the accessible ports that should be allowed through the firewalls. The firewall configuration is reviewed on a quarterly basis to confirm that the documentation is in sync with the configuration currently active on the firewalls. Any changes to the documentation are tracked in the configuration project of gitlab. Changes to the documentation must be approved by the FS Head of Technology Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services Apply machine based firewalls to block traffic that is not necessary to the function of the machine. Only allow remote access to a machine from approved accounts. Limit remote access to connections originating from approved locations. External firewalls are configured to only allow remote access to the production environment from connections originating from Eckler s Offices. All machines have firewalls active with only the necessary ports opened for the function of that machine. Only approved administrator accounts can remotely access a machine in the production environment. Firewall configurations for each machine are documented in the configuration project on gitlab and reviewed quarterly. Page 7 [ FS Technology Applications Security Controls]

12 3.12. Controlled User of Administrative Privileges Protect and validate administrative accounts on servers to prevent common types of attacks A common type of attack is attempting to crack and administrative password which then grants administrative access to the machine or the production environment. Use robust passwords that are of high complexity. Only select individuals have access to the production environment. The list of user accounts with administrative privileges and where are documented in the Administrators document. Any changes to the document must be approved by the FS Head of Technology. The document is stored in the configuration project on gitlab and reviewed quarterly with auditing tools. User account passwords must meet the NERC standard. Most user account passwords used by applications or services are randomly generated and stored in a password tracker for each account. All passwords in the production environment are changed yearly to prevent the likely hood of an attacker guessing a password correctly Boundary Defence Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines Establish multilayered boundary defences by relying on firewalls, proxies, demilitarized zone perimeter networks, and other network-based tools. The firewalls are the first layer of filtering for inbound application traffic. Only certain ports are open for traffic to enter into the production environment. Most application traffic is then routed to a reverse proxy which then performs application level filtering to route the traffic to the correct application. The reverse proxies live in the DMZ and pass valid traffic off to the trusted network. All machines have firewalls enabled to only allow expected network communication. Outbound ports are limited to protect data leaving the network in the event the production environment is compromised. Splunk is used to monitor logging from all the machines and applications for irregular behaviours in the production environment. Page 8 [ FS Technology Applications Security Controls]

13 3.14. Maintenance, Monitoring, and Analysis of Security Audit Logs Use detailed logs to identify and uncover the details of attack, including the location, malicious software deployed, and activity on victim machines Generate standardized logs for each hardware device and the software installed on it, including date, timestamp, source addresses, destination addresses, and other information about each request and/or transaction. Store logs on dedicated servers, and run bi-weekly reports to identify and document anomalies. Splunk is used to pull log data from all machines and hardware to be processed in a single location. Alerts, reports, and dashboards are continuously built or tuned to turn the log data to useful information to be used for identifying potential attacks, malicious attempts, and system stability on a continuous basis. The data is continuously analyzed to identify useful data patterns that will allow for more insight into the operations in the production environment. Spunk will send alerts to IT staff when event data triggers a defined alert Controlled Access Based on the Need to Know Prevent attackers from gaining access to highly sensitive data Maintain clear separation of sensitive client data from public data. Use methods like separate user accounts, access control lists, and physical separation of data. Prevent unauthorized access to data with the application whether it is an authenticated user or an anonymous user. Each application has data stored in separate databases or accounts with different credentials to prevent cross application access to client data. Each application has unique identifiers for each client that is used to keep client data separate when the application is used by users. Penetration testing is performed annually to validate that the application will not leak one client s data to a user without access to the client Account Monitoring and Control Keep attackers from impersonating legitimate users Use strong passwords for both user accounts and system accounts. Implement tools or logic to lock or disable an account after a number of unsuccessful attempts. Prevent attackers from attempting to guess legitimate account names. Implement monitoring to detect brute force attempts to guess passwords or account names. Splunk is used to build reports and alerts around the authentication attempts both at the system level and application level. After a number of unsuccessful attempts the user s account is disabled to prevent further attempts and must be unlocked by another administrator. Applications block attempts for attackers to guess account names by using tactics like returning the same generic message whether the account is disabled, username invalid, or password is invalid. Applications will also disable a user s account after a number of unsuccessful attempts to prevent brute force guessing of a user s password. Applications also force a password complexity minimum varying by clients requirements. No user can have access to a client s data unless the password meets the client s minimum requirements. Page 9 [ FS Technology Applications Security Controls]

14 3.17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Implement tools and processes that control access to the data and monitor any unauthorized or irregular access to data. All hardware is located in key card locked rooms where only IT staff has access to the rooms. The servers have monitoring to send alerts in the event any piece of hardware is removed or tampered with in any way. Logging from servers and applications allows for tracking of what data was accessed when and from where. All sensitive data is protected by access controls that require authentication which can be used to identify the user that accessed and potentially leaked the data. Firewalls limit outbound ports to minimize the methods data can leave the production environment Incident Response Capability Protect the organization s reputation, as well as its information Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker s presence, and restoring the integrity of the network and systems. An Incident Response plan is used in the event a potential security event like an attack, or malicious software may potentially be present on or in the production environment. The plan is reviewed on an annual basis to keep it up to date and effective Secure Network Engineering Keep poor network design from enabling attackers Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with firewall separation between each level. Only allow necessary traffic between each level to provide the required functionality. The firewalls sit on the frontier of the production environment. The reverse proxies filter the application traffic to the specific machine for the application sitting in the trusted network. All software needed to service the client applications sit on the trusted network and are not reachable from external connections. VPN Tunnels link the datacenter networks of the same level together. A network in one datacenter of one level can not talk to a network in the other datacenter of a different level. Network topology is regularly reviewed to make sure all machines reside in the correct network. Page 10 [ FS Technology Applications Security Controls]

15 3.20. Penetration Testing Use simulated attacks to improve organizational readiness Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises - all-out attempts to gain access to critical data and system to test existing defences and response capabilities. Applications are internally scanned using Acunetix Vulnerability Scanner software to regular test in production applications. External penetration testing is performed annually against applications to identify vulnerabilities not discovered by Acunetix or Nessus. IT Staff attempt to attack the systems or applications internally using their professional knowledge and internal knowledge of the environment to identify any unresolved exploits in code or exposed vulnerabilities. Page 11 [ FS Technology Applications Security Controls]

16 4. QUESTIONS Any questions about the Security Controls used for FS Technology Applications should be addressed to any of the following individuals: Sylvain Goulet, FS Head of Technology, Phillip Couto, Web Developer and IT Security, Iván Vacacela, PMP, Technical Business Analyst, Page 12 [ FS Technology Applications Security Controls]

17