Financial technology (Fintech) providers help financial services organizations grow their business and create fast, convenient, and integrated capabilities. Web applications and customer portals are a few ways fintechs enhance the financial services experience. With convenience, however, comes responsibility for securing sensitive data and digital transactions. To this end, your firewall provides the first line of cyberdefenses. Read on to review a comprehensive firewall audit checklist for fintechs.
Firewall Audit Checklist for Fintechs
Your cybersecurity program should include periodic checks of the firewalls protecting your enterprise network, which houses sensitive personal and financial data your customers place in your trust.
Fintech companies should prepare and execute the following for firewall audits:
- Preliminary firewall audit data
- Periodic firewall audit checklist assessment
- Firewall penetration testing and compliance
Preliminary Firewall Audit Data
Before the audit can begin, you need to gather information about your network, security architecture, and configurations to conduct the most effective audit possible. This data includes:
- Current network and firewall topologies
- Data flows, connections, and integrations
- Current security policies
- Firewall logs
- Previous audit reports
- Virtual private network (VPN) and internet service providers
- Review classifications of critical servers and data repositories
- Firewall vendor information
- OS version(s)
- Patch history
- Policies and configurations governing access and traffic
Collecting this information should provide your organization with all the documentation you may need to reference when assessing network security and performing firewall penetration testing.
Your Firewall Audit Checklist
The following 17 steps provide a comprehensive firewall audit checklist for fintechs and other organizations:
- Ensure the administrators’ roles and responsibilities are documented, with backup personnel or bandwidth as needed.
- Review rules to ensure suspicious traffic is blocked.
- Remove rule redundancy.
- Disable unused rules.
- Ensure state tables have rules for destination and source IP addresses and ports.
- Firewall logs are enabled.
- Ensure your DMZ properly protects the internal network from internet-based threats.
- Utilize continuous vulnerability scans.
- Configure proper IP blocking of illegal, private, and spoofed addresses.
- Ensure port blocking is consistent with security policies.
- Deploy intrusion detection and security event and information management systems.
- Enable Denial of Service (DoS) protection.
- Ensure firewall rules comply with regulatory guidelines.
- Establish, document, and follow change management processes.
- Automatically log all events and activity.
- Set up alerts and define response procedures.
- Restrict physical access to firewall servers.
Firewalls and Regulatory Compliance
The audit checklist above can help inform the sub-stages and focuses of a general firewall penetration testing checklist, with adjustments made per the stipulations of applicable frameworks for your compliance efforts.
For example, nearly all financial services organizations must comply with Payment Card Industry Data Security Standard (PCI DSS). This framework applies to any organization that processes, stores, and transmits cardholder data.
The DSS provides a robust framework for firewall protections and other cybersecurity measures, and the Security Standards Council that oversees it offers the following basic requirements for firewall protection:
- Remove and reset vendor password settings.
- Restrict inbound and outbound traffic to payment systems only when necessary.
- Avoid using “ANY” in firewall rules and safelists.
- “DENY ALL” traffic not authorized by your organization.
- Permit only “established” and secure connections to your network.
- Turn on intrusion detection and intrusion blocking.
- Turn on notifications.
- Hide internal addresses with Network Address Translation turned “ON.”
- Check for and install upgrades and deploy patches as they become available.
A Brief Look at Web Application Security
Fintechs must protect web applications as they become a new entry point onto your network. Consider some of these tools to enhance your firewall protection:
- Local file inclusion detection
- Reflected cross-site scripting (XSS) detection
- Remote file inclusion detection
- Old backup file detection
- SQL injection detection
- Unvalidated redirect detection
Additionally, PCI DSS 3.1 requirement 6.6 specifically references using a web application firewall (WAF) for anything public-facing or performing vulnerability assessments annually and following any changes at a minimum.
Firewall Penetration Testing
Firewalls are not “set-and-forget” security tools. The checklists mentioned above cover several areas, physical and logical, that require continuous monitoring and periodic assessment. One of the best possible assessments your organization can conduct is firewall penetration testing.
Penetration testing simulates a real cyberattack to evaluate how firewalls and other cyberdefenses hold up in practice. First, testing teams attempt to gain network and IT environment access by finding and exploiting vulnerabilities. Then, they use the test results to inform security recommendations and remediation.
Firewall Penetration Testing Stages and Checklist
Penetration testing generally follows five to seven stages that collectively provide a checklist:
- Gathering pre-test information
- Testing reconnaissance
- Vulnerability discovery and evaluation
- Exploitation of vulnerabilities
- Testing analysis
- Remediation informed by testing results
Some testers may combine or separate some of these stages, but all penetration tests adhere to this list—for firewall or otherwise.
Firewall Security for Fintechs
As a frontline cyberdefense, the strength of your firewall directly ties to your organization’s overall cybersecurity posture. Cybersecurity evaluations cannot ignore firewalls, given the sensitivity and compliance requirements that fintech must meet. Periodic assessments should follow a documented firewall audit checklist for comprehensive verification and historical reference during future assessments.
To fully evaluate firewall effectiveness, fintechs should consider conducting penetration testing.