Beyond the Firewalls
By Karen Epper Hoffman
Effective online security depends on more than just the latest technology; it also requires the proper mindset and procedures.
|
Related
Chart
|
For online banking to reach its full potential, consumers must overcome their security fears. And that will be a tall order for financial institutions to fill.
The problem is that security threats are increasing rather than receding. The more complex Internet systems become, the more vulnerable they are. "Complexity is the enemy of security," says Brian O'Higgins, chief technology officer for Entrust, a security software vendor based in Addison, Texas.
The seriousness of this threat was underscored in late January, when the "SQL Slammer" virus knocked out corporate servers around the country. Among the financial service providers affected were Bank of America Corp., First Data Corp. and Canadian Imperial Bank of Commerce in Toronto.
Although new security systems are being introduced all the time, they are never entirely adequate to deal with all the proliferating threats. The response required of financial institutions then goes beyond technology and new security systems to mindset and procedure. Banks need to incorporate security into all their online planning and then set up rigorous protocols to identify and quash potential threats.
Such measures will unfortunately add to expenses at a time when banks are anxious to squeeze some profitability out of their online operations. But the risk of not taking action is grave. Financial and legal liability can be enormous when criminal elements or mischief-makers penetrate a bank's customer files. An institution's very reputation as a safe haven for customer funds is at stake.
There's also a danger that online banking will stagnate as a business unless customers can get better assurances their money is safe. According to a recent TowerGroup Inc. survey of 3,800 U.S. households, 17% of consumers still cite security concerns as the primary reason they don't utilize online banking. Jim Eckenrode, group research director for consumer banking, says these security concerns have been a major factor in the disappointing growth of online bill payment in particular.
With so much at stake, financial institutions need to consider a range of options for combating online fraud. These include new types of security systems, such as biometrics, smart cards and real-time detection devices; continuous auditing of online systems; careful monitoring of outsourcers and vendors; and even ongoing education of customers.
Guard at the Gate
Online banking today is fairly proficient. Customers can track their balances, move money between accounts, pay bills and even research and purchase investment products. Those advances in capabilities come at a price, however. More dense and intricate systems mean more potential for bugs in the software, more vulnerabilities and more holes to patch — in short, a greater security risk.
The shift from a client-server model to a Web-based network model of computing contributes to this insecurity by opening more bank infrastructure to the outside world. As banks make more of their services and data accessible through the Internet, the easier it becomes for an unwanted element to break into more sensitive areas.
Essentially, banks have provided greater access to their applications without necessarily addressing underlying security issues, according to Harriet Goldman, vice president for professional services at Quadrasis, a Waltham, Mass.-based security solutions unit of Hitachi Computer Products. "If you get past the guard at the gate," Goldman says, referring to banks' firewalls and upfront security, "you've got run of the house."
This increased vulnerability can be seen across American business. The number of online attacks against businesses has been doubling for the past few years with a 142% jump in 2001 alone, according to the Carnegie Mellon Software Institute. Nearly half (45%) of IT professionals say U.S. businesses are not prepared for a major cyber-attack, according to a July 2002 poll conducted by the Business Software Alliance, while only 1% of experts say that businesses are highly prepared for such an onslaught.
Since none of these surveys focus on financial institutions specifically, it's difficult to gauge the precise dimensions of the threat faced by banks, or the damage sustained. The most recent annual joint survey by the San Francisco-based Computer Security Institute and Federal Bureau of Investigation does show a surge in online "financial fraud" sustained by a wide range of businesses, including banks. Respondents to the 2002 survey reported an average loss of $4.6 million, up from $4.4 million the year before and $1.5 million in 2000.
Bankers are well aware of the problem. "We certainly agree that the occurrence of attempts has increased significantly," says James Wade, chief information security officer for KeyCorp's technology services unit in Cleveland.
Counterpane Internet Security of Cupertino, Calif., is a company that tracks potential online infiltration for large companies. According to chief marketing officer John Bruce, financial institutions account for 28% of Counterpane's business, the security company's second-biggest client segment, after manufacturing. "There are a lot of reasons criminals would be attracted to banks," Bruce says. "The greatest return is there."
Over the past three years, Counterpane says it has investigated 200,000 incidents at various industry Web sites and stopped 30,000 attacks in progress. While Bruce characterizes banks as generally more "buttoned down" than other large companies, he asserts that several successful security breaches of banks have occurred that "never made the Wall Street Journal."
Script Kiddies
And where are these threats coming from? Many come from countries such as Russia, China, Nigeria, and Vietnam, which possess a cadre of technically trained people despite impoverished economies, according to Catherine Allen, chief executive of the Banking Information Technology Secretariat or BITS, the technology arm of the Financial Services Roundtable. Pete Murphy, chief information officer of Birmingham, Ala.-based AmSouth Bancorp, says his team frequently uncovers would-be foreign infiltrators running software scans or sweeps of the bank's system looking for any vulnerabilities to exploit.
The 2002 joint CSI/FBI survey details a few recent incidents involving Russians. In 2001, for example, two men from Chelyabinsk, Russia, were able to access bank accounts at Los Angeles-based Nara Bank and Central National Bank of Waco, Texas, apparently by penetrating Internet service providers. In early 2002, another hacker was able to extort $10,000 from an unnamed "New York bank" by acquiring account details through an online service provider.
As these incidents demonstrate, outsourcers constitute a key area of vulnerability for financial institutions. Peter J. Baldassaro, Jr., vice president and manager for the corporate security department of Hibernia Corp. in New Orleans, stresses the importance of vetting outsource vendors and conducting regular audits of their performance. He says bankers should ask how the vendors screen their employees and manage risks — especially those vendors operating outside U.S. borders.
Atlanta-based S1 Technologies, which hosts Web services for many mid-tier banks, suffered a security breach last July, when an unknown hacker broke into its Austin data center. Chief security officer Terrance Gattis says S1 initially thought some of its data might have been compromised, but later found that was not the case.
The incident did serve as a wake-up call, however. When S1 talks with clients today, "the security conversation is a larger part of the discussion, even in the sales process," says Vic Syracuse, S1's senior vice president for operations and technology. He notes that S1 undergoes annual regulatory audits, as well as more frequent reviews by customers and its own private auditors. Nonetheless, hackers have attempted to extort money from the company with threats of compromised data. "You just have to stay on top of it," Syracuse says. "It's a war out there."
In addition to criminal threats, banks have to deal with a growing corps of hackers who infiltrate computer systems mostly for the fun of it, to cause malicious mischief. These include "script kiddies," young hackers who may not know how to write their own code, but are able to obtain a variety of off-the-shelf viruses.
Smart hackers often publish virus-writing tools, which these script kiddies can use to wage their own attacks, such as logic bombs and "denial-of service," where hackers distribute "zombie" programs over the Internet to throngs of other machines and then use this phantom network to bombard a single Web site and force its server down. "There's been an increase in those sorts of attacks," says Allen of BITS, which is headquartered in Washington, D.C. "It's easy for people to do."
One of the most dramatic hacker attacks occurred in late January, when the SQL Slammer virus hit corporate networks running Microsoft Corp.'s SQL Server 2000 software. Spreading through the networks, rather than e-mail, the virus exploited a design flaw in the software to take over communications ports and send copies of itself to exposed servers. The proliferation of messages crashed the servers and caused congestion on the Internet for one weekend. Although not directed specifically at banks, the attack temporarily knocked out most of BofA's ATM network, online banking system and call centers and caused lesser disruption at Greenwood Village, Colo.-based First Data, the nation's largest credit card processor.
Beyond the Perimeter
Given all that banks know about the threats facing them, are they doing enough to limit their exposure? Reviews are mixed. "Banks are more aware than the average corporation, for sure," says O'Higgins of Entrust. "But they still tend to underestimate the threat."
One problem, she says, is that banks place too much emphasis on exterior defenses — "building up the perimeter" — and don't focus enough on internal security. For example, banks may invest a lot of time and money in their firewalls and encryption, but smart hackers can often find points of intrusion through less guarded mail ports and other areas of weakness. Once they're inside, security measures do little to prevent further compromise. The upshot, O'Higgins says, is that a bank's online security is like an egg: "a hard crunchy shell, but soft inside."
When it comes to building a defense in depth, there are no easy answers or off-the-shelf solutions. "There's not a single solution that any organization can put into place to inoculate itself from these problems," says KeyCorp's Wade. What is required, rather, is a series of steps that can work in combination with each other to reduce the risk. These include, for example, incorporating security concerns, technologies and protocols earlier in the online planning process.
"As soon as you start talking about Web stuff, even before you have something running, you need to discuss security," says Robert Garigue, vice president and chief information officer for Bank of Montreal Financial Group in Toronto.
Security also needs to be a bigger part of the discussion as sites get updated and new technologies emerge. For example, the increasing use of instant messaging has raised questions for banks regarding the safety of their protocols and the potential for such messages to cross firewall boundaries in an unsecured fashion. Plotting out the ramifications of such developments and how to deal with them is becoming a more important piece of the job when looking at potential security glitches, according to Garigue.
In the critical area of authenticating users, some new technology may help. O'Higgins expects biometrics and smart cards to play a bigger role in the future. But today, many banks are still using the same level of encryption they adopted several years ago, which has weaknesses. Quadrasis' Goldman, for example, says most companies have secured their network layer, but not their application layer, which is where user programs have access to the resources of the system. Her company, therefore, focuses on providing tools that integrate security at that enterprise application layer where so many channels connect.
Using real-time detection as well as more automated intrusion detection may be helpful. As many security experts point out, stopping hackers from trying to break into a bank's inner sanctum may not be as feasible as simply finding and stopping them once they do get in. Hence, methods of detection — both automated and human — are becoming more and more key to the security plan. Mail ports, for example, represent one area of vulnerability, which has forced many banks to install intrusion detection software to guard them, says S1's Gattis.
While hackers have long employed scanning programs to sniff around a bank's system, looking for potential fault lines to exploit, this probing has gotten ever more sophisticated with time. Hackers are probing for vulnerabilities within the architecture itself, making the simple issue of how a bank shields its application servers all the more critical. "You want to make sure they can't open the window even a crack," says Tom Cable, chief executive of Atlanta-based NetBank Inc.
When intruders do get in, banks can turn to vendors such as Counterpane, whose software reviews a company's online network logs in real time, looking for any potentially malicious tampering. The software feeds these records back to Counterpane's Washington, D.C. or Mountain View, Calif. offices to be reviewed by analysts there.
Continuous Auditing
This underscores the fact that no matter how good the technology gets, the real-time human element is important to nip such a potential threat in the bud. "The products alone are not keeping up," Bruce says. "You can't codify a response to this."
To that end, there's a need for careful and continuous auditing. No matter how confident a bank or a service provider might feel that they've shored up their systems against attack, there's always the chance of someone finding a way in. So it helps to have someone looking over your shoulder now and again.
While many banks have long used internal and independent auditors as a means to double-check their work, the increase in online threats has forced the industry as a whole to redouble its efforts. To supplement their quarterly regulatory examinations, for example, many banks have engaged auditors and private security firms to test their systems on a more frequent basis.
Ultimately, there's no substitute for an institution's own relentless focus on security. NetBank's Cable says it's important to continually review systems, protocols and software. "It would be pretty naive to set up your security and think it would be good for 'a while.' "
Banks also need to avoid offering services that introduce too much security risk. For example, many banks have felt that allowing customers to access information over wireless networks is too risky, especially considering the relatively small demand for such services in the U.S. Bank of Montreal's Garigue points out that even if a great business case existed for introducing more advanced wireless financial services, common wireless protocols are still "inherently weak in security." Thus, it might be better to wait for better security protocols.
Last, but not least, institutions should encourage customers to erect their own safeguards. Customers play a big role in bank security, whether or not they realize it. They must be vigilant about protecting information that could allow a cyber-predator access to their personal accounts. And they also need to be more wary of becoming the unwitting pawns of hackers by carrying zombie programs or viruses to their banks or becoming hot points for more nefarious activity.
As broadband and its "always-on" Internet connections becomes more popular, customers are even more exposed to online security problems. "Banks haven't publicized the dangers well," says TowerGroup's Eckenrode. He and other experts say bankers may have to take on more of a role in educating their customers about online security in order to protect both themselves and the customers. It's not just a matter of protecting user names and passwords. Customers also need to install anti-virus software and make use of firewalls on their home systems, especially if they have an always-on connection that could give hackers more opportunity to plant destructive data.
"Anybody who does business on the Internet has a responsibility to educate customers about safe computing practices," says AmSouth's Murphy. "The challenge is discussing security concerns in a way the general population can easily understand."
Ms. Hoffman is a freelance writer based in Poulsbo, Wash.