Regional financial institutions assume their security systems are adequate to protect their customers and ensure regulatory compliance. And why not? To lock down their networking infrastructures, they have deployed firewalls to enforce policies regarding who is authorized to enter the network. They have installed virus protection software on their desktops and laptop computers to defend against worms, Trojan horses and other malware. And for their last line of defense, they have sophisticated intrusion prevention systems to catch any threats that manage to bypass their firewalls.
But are these precautions enough? Most banks install their security systems and leave them unattended except for the periodic updates of their virus software. A mid-sized financial institution with $500 million in assets might have an IT staff of four to five people. These employees must administer and troubleshoot a variety of systems and services like switches, routers, server farms, e-mail, Internet access and web hosting. In most cases, they are too busy to focus on security and no staff member is an experienced IT security professional.
This absence of oversight can pose serious problems, particularly with complex IPS devices. Unlike firewalls, which allow and block traffic based on rules set by administrators rather than packet content, IPS solutions carefully examine the payload of each packet and deter those that appear suspicious. IPS platforms, therefore, need to be tuned for their sensitivity. A solution can be calibrated to block any questionable traffic, which means a lot of legitimate traffic, like financial transactions or customer queries, could be denied access to the network. A virus might have a telltale signature of 15 bytes, yet these same 15 bytes can often appear in innocuous traffic as well. An IPS device will thwart all instances of the signature, unable to discern good communications from bad.
Against this background, the only sure way to optimize the effectiveness of IPS devices is by using trained security professionals who can tune the solutions over time and monitor their data. By carefully scrutinizing traffic, these IT security specialists can adjust the sensitivity of the IPS to produce optimum results, as well as immediately identify new threats as they emerge.
Bridging the vulnerability gap
As the instances of virus and malware variations continue to increase, there is growing concern over the “vulnerability gap.” This is the time between when an exploit is released and when a bank’s security systems are upgraded to recognize it. There are many steps in this process: the exploit must be identified; vendors must write code that responds to it; the updated information must be forwarded to banks; and IT departments must install the upgrade in their security systems and on employees’ computers.
At best, the entire procedure can take days. Considering how quickly a bank’s network can become infected — exploits can arrive in moments as innocent-appearing email attachments or pass through the firewall as a user legitimately browses the Internet — days are an eternity in the digital world. Consequently, this period is the dreaded vulnerability gap when a bank’s security systems are helpless to detect and deter malicious exploits. During this time, even security systems themselves are vulnerable to infection.
Protecting the paper trail
Human intervention is also necessary for an often overlooked aspect of banking security — archiving and reviewing audit trails. The SEC examination guide, for example, mandates that vital security information be stored and examined by each bank’s management. Financial institutions must document complete control over their networking infrastructures.
Every bank has a large volume of information flowing in and out of its network around the clock, which produces a broad spectrum of security data. Firewall, IPS, email, virtual private networks, and other systems all produce metrics. Banks must protect themselves by ensuring they document that all security systems are functioning properly and that there have been no compromises to data residing on server farms and employees’ desktops or in confidential financial communications with customers, vendors and regulators. The loan department, for example, must be able to confirm that important documents reached their destinations. The human resources staff needs to review this information to ensure that employees are not improperly browsing the Internet while in the office.
Someone to watch over me
The essential point is that no matter what security hardware and software a bank deploys, human monitoring is critical to comply fully with today’s security mandates. This monitoring and analysis is needed every hour of the day and every day of the year. Most financial institutions do not have the manpower for constant oversight. Even if a trained security professional is on staff, a single employee cannot be available at all times to respond to alerts and other issues. Only the largest banks can afford in-house security personnel on duty 24/7.
The strategy that makes the most business sense for these financial institutions, therefore, is to outsource their security, as they do with so many other vital operations. Outsourced security services offer granular solutions for each component of the network — a firewall, intrusion prevention on the inside and outside of the firewall, Web proxying, email filtering, virus scanning, and robust VPN services. The vendor will monitor the network 24/7 using knowledgeable security analysts, eliminating the vulnerability gap and ensuring prompt responses to any issues.
To ensure the comprehensive protection offered by an MSSP dedicated to financial institutions, a bank would need experienced security engineers continuously monitoring up to nine discrete boxes in the data center, a degree of protection only the largest financial corporations can deliver in-house. By having security professionals analyze the data that their security systems produce, banks leverage this information to provide their customers with elevated levels of safety and confidentiality. They gain a competitive advantage by offering optimal services while cost-effectively meeting all security regulations.
Cary T. Conrad is president of Message Secure Corp., a managed security solutions provider in Lowell, Mass.
© Copyright BankNews, November 2005