March « 2009 « InfoSight

Archive for March, 2009

What are the odds of a security breach at your institution?

Tuesday, March 31st, 2009

If your home has ever been burglarized, you know the unnerving feeling of being violated and how the experience can haunt you for a long time.

Obviously, locks and bolts are only as strong as the door and the frame they’re fitted to. This is also true of the security posture of financial institutions. Outdated software applications, misconfigured devices, and ineffective security policies are much like the weak or rotten woodwork framing the door of your home.

In the same way that you would check your home’s door frames and replace any rotten wood, you should check your institution’s operating systems, network devices and configurations for weaknesses and vulnerabilities. In the absolute sense, it’s the rare security product that will stop any type of breach. After all, bank security is about risk mitigation, not absolute safety from bad things happening.

So, what are the odds of a security breach at your institution? Today, the United States banking industry has about 9,100 commercial banks along with approximately 1,800 thrifts worth about $520 billion. If we consider bank robberies alone, close to 6,000 banks were robbed in 2008. That translates to 60-66% – or six out of every 10 banks. Twelve percent of the loot, representing nearly $6.5B, was never recovered. That’s an example of physical bank security; but what about data security?

The Identity Theft Resource Center’s 2008 breach report reached 656 reported data breaches at the end of 2008, reflecting an increase of 47% over 2007. Reports of data breaches are expected to increase in 2009. As of early March 2009, there were already more than 100 reported cases.

While there still are major problem areas, there is good news. Tools that mitigate the risk have become more sophisticated and more affordable.

Securing your financial institution from unauthorized access is paramount. Don’t expect to put a check mark next to data security and say “done”. This is an ongoing process, and will require management and monitoring as part of your compliance initiatives. The best method for maintaining the security of your information systems is to perform external and internal vulnerability risk assessments, and find your weaknesses with testing.

These assessments identify vulnerabilities that allow outside, untrusted networks to gain access to internal, trusted networks & systems. They also identify the steps you must take to thwart intentional attacks or unintentional mistakes from trusted internal users & systems.

With a detailed evaluation of the current state of your network security, you can get a clear picture of your security strengths and vulnerabilities, and develop a detailed plan for more effectively protecting your institution.

It’s not such a bad idea to do the same for your home. But that’s a topic for another blog.

Tags: antivirus & malware protection, bank security, data loss, data security, enterprise risk assessment, hackers, information security policy development, infrastructure vulnerabilities, internet threats, malware, managed firewall, managed intrustion prevention services, Network Security & Solutions, penetration testing, security breaches, security threats, software testing, technology
Posted in Network Security & Solutions | No Comments »

How does your security strategy rate?

Tuesday, March 31st, 2009

Much to the chagrin of IT professionals who face the constant onslaught of threats and problems, security tests can never prove that you are secure. That’s because security is a process, not a final destination. As such, security testing should be applied with a well thought-out strategy.

A strategy can include the following reasons for security testing.

1. To establish a baseline risk analysis or vulnerability inventory of the entire organization
2. As a routine checkup such as might be part of a regular audit
3. To comply with regulations, legislation or standards
4. To document controls for a third party audit
5. To validate new processes
6. To implement a new or enhanced business application
7. Upon mergers, acquisitions, and outsourcing
8. Upon installing new infrastructure components such as web servers, virtual private networks or firewalls
9. In reaction to an event such as a security breach

To know what is right for your institution, you need to clearly define your requirements and tailor an approach to meet them. The key questions you need to consider are:

1. What is at risk?
2. What are you protecting against?
3. What do you need to test?
4. What kind of report do you need?

To be secure, an institution must incorporate security into their core functions and systems end-to-end. A well-considered approach to security testing that balances different approaches to your need will improve the value of your security program and help validate the security of your business.

Tags: antivirus & malware protection, email security, enterprise risk assessment, information security policy development, internet threats, malware, managed firewall, managed intrustion prevention services, Network Security & Solutions, security, security breaches, security testing, technology
Posted in Compliance & Business Continuity, Network Security & Solutions | No Comments »

What are the top security threats for 2009?

Thursday, March 26th, 2009

Internet-based attacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approach to stealing data from businesses, employees and consumers. Security threats are propagating more rapidly, becoming increasingly difficult to detect, and are exploiting technological and human vulnerabilities.

Every year, Cisco releases a security report. Highlights from 2008 include:

• Insider threats. Negligent or disgruntled employees can threaten corporate security. The global economic downturn may prompt more security incidents involving employees, making it crucial for IT, HR, and other lines of business to collaborate on mitigating threats.

• Data loss. Whether through carelessness, breaches by hackers, or from insiders, data loss is a growing problem that can lead to grave financial consequences. Technology, education and clear, well-enforced data security policies can make compliance easier and reduce incidents.

• Mobility, remote working, and new tools as risk factors. The trend toward remote working and the related use of Web-based tools, mobile devices, virtualization, “cloud computing” and similar technologies to enhance productivity will continue in 2009, challenging security personnel. The edge of the network is expanding rapidly, and the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.

• Spam. Spam, or unsolicited email, is one of the most pervasive Internet threats, affecting nearly every Internet user and organization in the world. Spam accounts for nearly 200 billion messages each day, approximately 90 percent of worldwide e-mail; and the United States is the biggest source at 17.2 percent.

• Phishing. While targeted spear-phishing represents about 1 percent of all phishing attacks, it is expected to become more prevalent as criminals personalize spam and make messages appear more credible.

• Botnets. Botnets allow someone to gain control over computers and networks and make them hubs for malware distribution. Legitimate websites are infected with Iframes or malicious code injected by botnets to gain personal information, and they redirect visitors to malware-downloading sites that appear trustworthy.

• Social engineering. The use of social engineering to entice victims to open a file or click links continues to grow. In 2009, social engineering techniques will increase in number, vectors and sophistication.

• Reputation hijacking. More online criminals are using real e-mail accounts with large, legitimate web mail providers to send spam. This “reputation hijacking” offers increased deliverability because it makes spam harder to detect and block. In 2008, spam resulting from e-mail reputation hijacking of the top three web mail providers accounted for less than 1 percent of all spam worldwide but constituted 7.6 percent of the provider’s mail traffic.

To protect your networks against attack, it’s important to look at all the basic elements of your security policies and technologies. You can lower your risk of data loss by fine-tuning access controls and patching known vulnerabilities to eliminate the ability for criminals to exploit holes in infrastructures. It’s also important to upgrade applications, endpoint systems and networking equipment to help ensure that your systems run smoothly and minimize risk.

Tags: botnets, data loss, hackers, infrastructure vulnerabilities, internet threats, malware, mobile devices, network breach, Network Security & Solutions, phishing, reputation hijacking, security threats, social engineering, spam, tech policy, technology, virtualization, web mail
Posted in IT Infrastructure, Network Security & Solutions | No Comments »

Don’t let development pressures cut security testing short.

Thursday, March 26th, 2009

There are more than 5,000 known security vulnerabilities and the number is growing. In 2008, there were 11.5% more internet security vulnerabilities disclosed than in 2007. That’s because we’re getting better at identifying and eliminating vulnerabilities. But all the progress made can be thrown out the window, if you’re in a hurry to roll out the latest and greatest software upgrade.

There are a lot of reasons for time schedules to be cut short. Let’s say something is added or changed in the development process which results in the need for more development time. To catch up, the temptation is to shorten the time scheduled for testing. Studies of security breaches that have made recent headlines reveal that inadequate testing procedures were largely to blame for most of the breaches.

This scenario is common in the financial services industry. When institutions do roll-outs, they often don’t allow sufficient time for security testing. Or if they do, the developers take too long, often shortening the time needed to perform sufficient security testing.

Solving security problems is more of a cultural and management issue than a technical one. People at the top of an organization need to realize that security testing is imperative. Pushing for a change to be squeezed in as soon as possible will affect the testing schedule and you’ll need to allow for extra time.

Everyone in the organization, from the board room down to the marketing department, must understand that proper security testing is more important than meeting a project deadline.

Treating security this way makes sound financial sense. Tangible losses from attacks, for example, can affect productivity, revenue, direct costs and customer trust. Even if no customers lose money in a security breach, a customer complaint alleging that your institution has breached the Data Protection Act by failing to adequately secure financial data can cause big problems.

The moral of the story? Don’t cut security testing short just to meet deadlines. Fixing a problem once software has gone live is much more expensive than dealing with the problem at the design stage.

Tags: Add new tag, application development, application testing, data protection act, infrastructure vulnerabilities, security, security breaches, security testing, security threats, software testing, tech policy, technology
Posted in IT Infrastructure, Network Security & Solutions | 1 Comment »

Recent Posts

Categories

Archive

Archive for March, 2009

What are the odds of a security breach at your institution?

How does your security strategy rate?

Don’t let development pressures cut security testing short.