mailing list archives
[PEN-TEST] Your opinions ... last request
From: Jim Miller <MillerJ () FABSSB COM>
Date: Wed, 1 Nov 2000 09:09:38 -0600
Thank you all for your elucidating responses. I have come to understand better the technology that my bank will
deploy. I just have one last point to clarify, and would like to ask one more time for info on this specific point.
The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in
signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily
hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft
of the hardware.
But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the
client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the
certificate is readily accessible by any employee with a fair technical knowledge.
This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the
bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or
Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas 77805-8100
millerj () fabssb com
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)