Impact of Information Security Trends on Banks, Part 3

Omar Herrera

See Also: Ransomware: The Look at Future Trends

If we analyze the impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on banks and financial institutions than any other organization.

If you study the security issues surrounding information technology dependency, you will see that this is one banks weakest security areas . Although this type of dependency is an up and coming trend in most industries, it is not new for financial institutions. This is because banks are able to automate most services and operations. E-banking is reshaping the way people and organizations do business, and new services based on e-banking and electronic processing capabilities are created and deployed at very high speeds. Many of these services could not be created and maintained without the information technology infrastructure that exists today, and if this infrastructure was to fail, these banks would be unable to function.

Banks batch processes have also been upgraded to real time operations. Consequently, some of these processes need to be working constantly in order to provide availability for bank operations. These operations will soon be more critical as electronic processes and services replace their manual counterparts (the few that still survive).

Additionally, decrease in speed to exploit vulnerabilities is another trend that has had a significant impact on these systems availability. Massive propagation of threats like viruses and worms take advantage of improvements in exploit developments. Worms like Blaster and the more recent Zotob have shown the importance of having effective security controls to deal with these threats.

The current trend towards faster exploit development cycles also mean that reactive security controls (i.e. those implementing blacklists, also called negative logic security controls) have become less effective. This is because they rely on previously known patterns. Therefore, those controls need to be regularly updated in order recognize any new threat. Only then are they capable of stopping certain types of attacks. These updates need to be accomplished by vendors who have the capabilities to identify the threats, create detection signatures, and distribute them. Further, banks then have to update these controls. No matter how fast vendors and banks are at completing this update cylce, the fastest worms and viruses will always be ahead of them. Patching the vulnerabilities that these types of malware exploit is also much slower.

While some companies can afford to have a few infections each year, accepting this risk is simply not an option for banks.A banks high level of dependency on Information technology, real-time batch processes speed, and constant availability of many banking services makes these threats a critical security risk. The potential impact that a single infection might have on a critical server (no matter how small the infection is), could cause serious operational damage.

Unfortunately, Banks and other financial institutions are some of the most heavily affected organizations by targeted attacks. The steady increase of e-banking systems attacks through Phishing is alarming. Phishing poses serious problems for bank security strategies because some Phishing attack techniques are hard to detect. This is because certain techniques never involve the bank infrastructure, they effected through infected through outside sources. Vulnerabilities of computer systems, and the personal property of customers and employee data, pose a large risk for bank operation. A customers PC canât be protected by the bank, but the banks canât ignore this threat. If a customer's entrance to these systems from their personal computer is not secure, everybody loses (except the bad guys). This need for multiple layers of security drive the cost of these services higher.

Cyber criminals also look for vulnerabilities within the organizationâs systems. Hackers targeting organizations are shifting towards application level attacks, and in a banks case, there are many custom made applications. This is because banks have a very specific need to provide custom services to their clients. It is therefore essential that banks pay attention in securing and auditing those applications properly.

Regarding security controls and services, we know that the market in general is demanding. Information security professionals often search for easy to manage, low cost solutions that are able to provide protection to a wide number of systems. This is done even if some degree of security is sacrificed. That is why many current security controls are based on negative logic (i.e. blacklists), so that they are easier to adopt by the organizations.

Therefore, many banks need an almost complete redefinition of their security processes and functions. The good news is that in the end, implementing stricter controls and procedures will not only allow banks to comply with Sarbanes-Oxley and Basel II Accord, but it will also provide these institutions with a more robust security architecture (i.e. a more efficient way to select, implement and manage security controls). The bad news is that timetables are tight and many institutions are rushing to comply with these legal requirements.

Many banks also realize that consumers are demanding more security options for e-banking and electronic transactions involving bank services (e.g. credit/debit card on-line payments and electronic transfers of funds). Many customers are willing to pay for the increased cost of these solutions. Therefore, there is a genuine opportunity to consider security as an investment (i.e. there is a ROI, in security controls that answer specific customerâs requests for secure services). Customer awareness is also an important factor for electronic transactions. An example of these standards is SET, a standard designed to stop fraud and bring more security to electronic purchases over the Internet. However, the adoption of such standards has not been as successful as expected. SET, for example, was ignored by both banks and electronic stores, since it made online payments cumbersome and costly. Yet, it is expected that with increased consumer awareness this will change, and new security standards will eventual turn into a competitive advantage, or might even become an essential component of electronic payments.


About the Author




Around the Network