Gone are the days of stockholders and management worrying only about physical security. Your bank’s perimeter security now includes the information technology system. Attacks are becoming more numerous, sophisticated, and destructive. Some hackers are willing to spend a lot of time to instigate an attack, including spending considerable time probing for information, looking for opportunities to break into your bank. Instructions for hacking are readily available, often in cookbook formats that even a novice can follow.
Today’s attacks from the outside can slip through firewalls disguised as normal traffic. Often these attacks are assisted by employees unknowingly visiting websites that pass spyware or backdoor programs back to their desktops.
Every day, your bank encounters thousands of probes. If your network connects to the Internet or permits email communications, you are susceptible to these probes and a firewall should be protecting your perimeter. If the bank uses a service bureau, you should have a firewall behind its router. This protects your bank from the service bureau if it has an intrusion and it also protects the service bureau if you have an intrusion. But remember, a firewall is not a panacea.
The value of a firewall
Firewalls are good at blocking ports and Internet provider addresses and may be good at detecting and dropping traffic that does not meet IT industry standards or protocols. One of the items on the examiners’ checklist is a copy of your firewall log. Too many times the network administrator has “tuned” the reporting down so there isn’t much activity. Tuning the contents of the report is one of the options of the firewall configuration. Often the network administrators don’t have time to adequately review and analyze the logs or may not have the skills to perform the analysis, which results in tuning the reports so nothing or very little shows up.
Another possibility for the deficiency of items appearing on the log is that the firewall does not have “intelligence” (i.e., it is not capable of interpreting and reporting the details of the attacks). An indication of this condition is that regardless of the attack, the report contains only “connection denied” and no other information. In this case, the firewall is more of a router than a firewall.
Without independent review and testing, your firewall may not be working as management expects. The testing should include intrusion scans on the external ports and vulnerability scans on the internal ports. Management generally does not understand the implications of the firewall configuration and relies upon the network administer to correctly set up the firewall. To say that you are receiving logs and reports from the firewall does not mean that it is properly configured or working effectively.
Any IT person or IT examiner knows that the log should potentially be voluminous with a variety of detailed information. To complicate matters, interpreting the firewall reports requires considerable training, experience, and time to stay current of new threats in the security environment. If the firewall is not configured correctly and if you are not getting the information, not spending the time to review the reports or do not understand the logs, then your firewall could be a security risk.
The best approach for improving security
As with physical security, the best IT security is a layered approach, which involves using several different security products, each having a particular purpose. These layers may also provide monitoring or checking of other products. An intrusion detection system is one of the components of an effective security system, along with security policies, core system security, auditing, router security, firewall(s), a business continuity plan, and an incident response plan. Each layer provides some protection and the penetration of one layer does not necessarily mean the whole bank has been compromised.
Guidance on IT security starts with several early pronouncements and gains momentum with the Gramm-Leach-Bliley Act, which requires that “each bank design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities.” GLBA also says that each bank must consider whether measures listed in the act, including monitoring systems to detect attacks or intrusions, are appropriate for the bank and adopt those management considers appropriate.
While this not a mandate, several other regulations include an intrusion detection system as an integral part of a layered security program. Management is responsible for the bank’s security program and, therefore, is responsible for determining if an IDS would enhance the bank’s IT security. Recently, we have seen more examiners “suggesting” that banks have intrusion detection systems, even smaller banks.
The purpose of an IDS
Intrusion detection is defined as detecting inappropriate, incorrect, or anomalous activity. IDS is a warning system, while a firewall is a blocking security device. An IDS monitors all network activity directed to the outside world, traffic that is initiated from the outside and travels through the firewall and into the bank’s network and all activity that originates from inside the network that is headed out through the firewall. Multiple IDSs can be placed within the network to monitor additional internal traffic, such as the core processor.
IDSs, like other security devices, have their limitations, are not perfect and their reports also require considerable training and experience in order to interpret the alerts. They are most effective when combined with monitoring and reporting from several security components. The security systems reports may include external monitoring reports (if your bank hosts its own Internet banking, Web hosting, or email services), firewall reporting, and IDS reporting. The IDS should be placed behind the firewall(s) in order to confirm its configuration and operation. Placed directly behind the firewall, the IDS can monitor all network activity directed to the outside world.
What does an IDS do?
An IDS also looks for “signatures,” or the characteristics of known attacks. These signatures must be updated frequently to maintain effectiveness. Equally important is the tuning of the IDS alerts, similar to the firewall. When first installed, an IDS requires a lot of attention to analyze the alerts and determine what is normal traffic.
An IDS can provide useful information about malicious internal network activity and identify the source of incoming probes or attacks. Some of the other things it can do are to confirm firewall configurations, identify Trojan horses and spoofing and collect forensic evidence which may identify the intruders. An IDS has been compared to a burglar alarm, in that an alarm may sound when an intruder or abuser is detected. After the alarm, the report must then be investigated to determine if an intrusion or abuse has occurred and whether your incident response program should be implemented.
Many attacks and policy abuses occur internally. In today’s litigious world, management must be sensitive to the types of websites employees visit. A properly designed IDS can also provide information on types and frequency of websites visited. Words and names can also be monitored, email content can be screened, unauthorized network connections can be identified, usage of IT resources for personal purposes can be reviewed, network listening programs can be identified, and much more.
Employees visiting non-bank related websites seems innocent enough, but often the visits result in spyware or backdoor programs being placed on their desktops. These programs can collect information, use existing open outgoing ports on your firewall and transmit information to the hacker. Since the hacker is using the same port as normal traffic, it is undetected. Some of these programs are almost impossible to remove once found; some can even reproduce themselves. All of this may not be detected by your firewall; however, an IDS would probably send an alert for this type of activity.
What to do with the alerts
The alerts are like clues — the frequency and/or the time of day or the destination may be a hint of abnormal traffic. First the IDS alerts need to be combined with the information from the firewall logs. Next, the combined information needs to be analyzed and organized in a meaningful manner that provides better clues. Based upon this analysis, the investigation begins with the network administrator looking at the desktop’s hard disk or the server looking for spyware, backdoor programs, or other software that does not belong on the equipment. As with the firewall, being flooded with meaningless alerts may reduce the effectiveness of the IDS.
How to handle the alerts
A good analysis program can restore the effectiveness of both the firewall and the IDS by identifying suspicious patterns, addresses or activities that may be evidence of an attack. The analysis program can gather other evidence that may lead to identifying the name and host of the address used and the Internet service provider. In some cases the IP addressee can be identified and maybe contacted, particularly if they are a vendor or a customer, so they can investigate the activity.
In more severe cases, the Internet provider may need to be identified and contacted regarding the activity. Not all IP addresses can be automatically filtered out; too often the address has been “spoofed” or faked and used by the hacker without the IP’s knowledge. Sometimes it is more useful to try to gather additional information from the attacker.
Using a layered approach improves security. Combining a firewall with an IDS upgrades a bank’s security, providing detailed logs and alerts of suspicious activity. An IDS can provide information about many different types of attacks. As with firewall logs, the IDS alerts must be analyzed, interpreted and investigated so security risks are not overlooked. The person analyzing the reports needs to have considerable training, experience and time to stay current of new threats in the security environment.
John Block is managing director of Secured Technology L.L.C., in Olathe, Kan., a firm that assists financial institutions with managing risks associated with information technology. For more information, visit www.securedtechnology.com.
© Copyright BankNews, March 2005