What to Look for in IT Security

You’ve heard it said, “All that glitters is not gold.” That phrase definitely applies to IT security in the banking industry. Of course, we all want to hit the mother lode, but what will happen if you end up with a handful of fool’s gold? Security, true security, is the equivalent of the mother lode, whereas compliance alone can get you that fool’s gold. Which result do you want? Shall I assume the mother lode of security?

Like any good miner, you will need some good tools and resources to help you in your quest for the mother lode. It can be difficult to locate trustworthy partners, vendors and programs. What you need is a map to lead you through the maze. Security brings you into compliance, but compliance does not always bring you security. There are many stories of companies who passed a compliance test only days later to have a breach of millions. Don’t be tricked by the glittering fool’s gold.

The first thing you need to do is find a good IT security partner who understands the main principle of “security first.” Following is a list of what to look for in a quality security partner (also called VAR, reseller and outsourced IT shop):

• Has a dedicated representative assigned to you (with at least one backup).
• Has a local office or ability to send someone to help with implementation.
• Has multiple options for each type of security, rather than a one-size-fits-all approach.
• Has engineering staff to help with questions, troubleshooting and issues.
• The sales person asks questions about what you have, what you do, what you like.
• Focuses on security and offers managed and unmanaged services. One such example is SecureWorks [www.secureworks.com].
• Good, current and constant backup of your data (inexpensive solution at www.idrive.com/?p=easybackup).
• A disaster recovery and business continuity plan. Your IT security partner or contractor should be able to help with this item.

After you locate a partner to help you, you need a good process or system for authentication and authorization. These are two generally overlooked or undervalued items in good IT security. Authentication is being sure someone is who they claim to be. Authorization determines what that person can see or have access to based on his or her role (customer, teller, branch manager) in your bank. There are many good authentication/authorization solutions. Things to look for are:

• It can be customized to include all of your applications.
• It is easy to use.
• It is very secure.
• It has an easy process to de-authorize.

AegisUSA is an example of a company that does identity management (including customization for special applications). Identity management can range from password management to single sign-on or full blown “fully federated identity management,” which is everything. This provider offers solutions between $40,000 and $100,000 and they will be implemented within 30 days.

What else do you need on this journey to the security mother lode? In your list of resources and tools, you will need good banking software. You should look for:

• Easy access of all customer information from a central screen.
• A good internal audit/logging trail and records.

The solutions from Integrated Bank Technology [www.ibanktech.net] are an example. The company’s software is easy to use, sophisticated and “green.”

Next on this mother lode quest, you need someone to do a complete security evaluation. This can be done by a partner like SecureWorks or by an independent tester. And finally, you need to ensure you have the required defenses. Below is a list of things you should have:

• Anti-virus, anti-spyware, anti-malware are a must (ESET, Symantec).
• A hardware firewall, not just the Windows software firewall, with updates and checks completed by staff or an outsourced IT service to manage them. Make sure you have written/contractual SLAs with penalties for missing them.
• Web application firewall, if you have any Internet facing web pages, to help stop SQL injection, cross-site scripting and other application issues.
• Full disk encryption on all computers, including desktops.
• IPS intrusion prevention system — both a network IPS (NIPS) and a host IPS (HIPS) to monitor key server files and processes.
• Encrypted email.
• Audit, tracking, logging: Make sure you have good logs (system logs, transaction logs). You need a system to review them and then you act on the warnings and errors highlighted.
• Online banking: Offer secure tokens, which can be a fee for customers, but gives them easy, more secure access. (Brands include entrust, SafeNet, RSA.) Make sure you implement them correctly.
• Web: Ensure all web pages are https (SSL) and tell customers to bookmark the site so they can’t be fooled by fake sites or re-directed to them.
• Opening/closing procedures: written, tested, reminded and evaluated on a quarterly basis.
• Security awareness training with role playing for executives and all employees who touch a computer. This should be monthly or quarterly. In-person is best but web interactive is acceptable. Topics should include:
  — Proper passwords, how to handle, use and not share passwords or use the same password for work and personal matters.
  — Computer use: Unless your job activities require you to have Internet access, then there should be no Internet access on that computer. Use a break room computer for checking personal stuff/surfing. Keep the break room computer off the bank network — just give it outside Internet access.
  — Links: Don’t click on links. Teach how, why, what good and bad links look like.
  — Social engineering: who, what, why, when and how the social engineer gets the information, one piece at a time.
  — Phishing, spear phishing, vishing, smsishing and other common threats to banks.
  — USB drives and removable media policy: Consider using technology to lock these devices.
  — Customer screens, accounts: Don’t leave a screen open or on when you leave your area.
  — Proper authentication via the phone: Don’t give out info; make the caller give it to you but only ask for what you really need.

It is this level of security that helps you enjoy the mother lode. With this defense-in-depth, you will not be tricked into the lure of the shiny, but worthless, fool’s gold. Fool’s gold levels of security leave you uneasy and with a sinking feeling in the pit of your stomach should anything happen at your bank. Security at the mother lode level lets you sleep soundly at night.

Paul Herbka is president of the Denver chapter of the Information Systems Security Association. He can be reached at paul74h(at)gmail.com.

Copyright © November 2010 BankNews Media