BankInfoSecurity.com Interviews Catherine Allen, CEO of BITS on Information Security at Financial Institutions
LINDA MCGLASSON: Hello. This is Linda McGlasson with BankInfoSecurity.com, and today we’re speaking with Alan Paller of the SANS Institute. For those of you who don’t know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system, the Internet Storm Center. Their website is www.sans.org.

Alan is the director of research for the Sans Institute, and he’s responsible for overseeing all research projects ranging from the Sans’ Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He’s also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.

Hello, Alan.

ALAN PALLER: Hi.

LINDA MCGLASSON: Well, we’ll get right down to these questions. Are we in information security becoming complacent? Is it possible we’re becoming innured to all these zero-day threats and bot-nets and virus threats and SPAM-filled email boxes that we tend to look at the situation and believe it is normal?

ALAN PALLER: I think a lot of people are feeling that they’ve lived through the worst, they aren’t in any way terribly damaged by what’s happened. Maybe they had to get rid of a computer or two, but it isn’t really that big a thing and they can get on with their lives.

LINDA MCGLASSON: And what do you and the SANS Institute see as the biggest information security threat facing the cyber community in 2007? And what about financial institutions; are there other threats we must be more attuned to?

ALAN PALLER: Well, going back to the first question, you set up the second one because although most people believe that they’re not being heard, the reality is that most of the pain is beneath them. The best example is financial institutions. I think you know that there is a massive set of organized crime-driven attacks that take over people’s PCs using SPAM or phishing exercises and put key stroke loggers on their machines. Then the key stroke loggers wait until you sign on to Bank of America or one of the other banks, captures the key strokes that you use, and then it cleans out your account.

And what has happened is that the banks have kept that essentially secret. The way they’ve done that is by paying off the losses at basically their depositors’ cost, and the banks took responsibility for it. And these are real losses; the money is really gone. It’s not pretend money the way the credit card companies do it. But the banks are losing a lot of money, and it turns out that in the last year the losses from this type of attack have increased by between 400 and 800%. It’s become so significant that bank CEOs are starting to ask how long can we continue to pay the losses. And what’s fascinating about that is that, although the public doesn’t know that there is a risk this way because the banks certainly aren’t going to tell people because they want you to use online banking, the really scary part of this from a complacency perspective is that merely every bank believes that this is entirely a problem as far as by a home user allowing his machine to get infected. But we have evidence that in one case the loss was not a home user; in fact, the credentials were stolen directly from the servers in the bank. So the attackers are getting inside the bank, stealing the credentials, and then taking the money away. And all of this is happening way below the public attention and meaningfully so, meaning people really don’t want the public to know about this because if the public knows about it, they won’t trust the online banking. And online banking makes banks a fortune, so it’s worth it to the banks to take the losses. But the losses are accelerating. 500% a year is way too much, and I guess the worst part of it is just from – because I care about it; a lot of people ask, why are you making noise about it? It turns out that at least in one case law enforcement has let us know that the money from one of these bank frauds went directly into the accounts of terrorists and were used to buy the bombs. So our lack of security in the banks is actually funding the terrorist bombings, and that’s trouble.

LINDA MCGLASSON: Certainly something that we would want to make sure doesn’t happen.

ALAN PALLER: It is happening. And people are not doing anything about it because to do something about it takes real work and real money.

LINDA MCGLASSON: And what would you suggest financial institutions do in terms of stopping this?

ALAN PALLER: There’s a discipline that financial institutions are actually in the lead on in terms of not allowing users to be on their network that have the ability to be infected, a bit of a double negative; but what I mean is one of the things they do – that some financial institutions do, but not enough – is that they take away all of the administrative rights from all customers and keep it centrally managed. That’s not a perfect solution, but it’s a heck of a good one.

And then the second one is that – and I only know of one financial institution doing it – are inoculation programs because, for the most part, the break-ins inside big financial institutions are happening by social engineering rather than just because they have a bad vulnerability on their machine. They’re pretty good about finding vulnerabilities, so their own users are letting them in. And they need to do more inoculation programs. Inoculation programs are different from education programs because people actually experience the pain of the attack in an inoculation program. But those are the two things that they need to do a lot more of. There is a need to be much more disciplined in who they allow on their networks and how they allow machines to get on their networks. They need to be much more disciplined about what the users are allowed to do when they’re hooked to the network.

LINDA MCGLASSON: As you’ll know, the banking industry is one of the most highly regulated of all businesses. If you were the “decider” at a federal regulatory agency, what regulation would you enact or repeal for banks and credit unions in regards to strengthening information security?

ALAN PALLER: Only one: That’s disclosure. The character of security is that as long as it can be swept under the rug, it will be considered an insurance adjustment. And if the money weren’t going to the terrorists, I wouldn’t care; but given that we’re funding the bombs, we need to stop the losses. And the only way you’re going to get senior bank officials to stop the losses is if they have criminal penalties for not reporting it.

LINDA MCGLASSON: As I think a similar question in the same vein, there are some financial institutions out there that say, “well, they’re not going to hit me; they’re not going to come in and try to break into my bank,” and they don’t have an incident response program in place. What would you want to tell them?

ALAN PALLER: I don’t know that that’s true. I think everyone has a little bit of an incident response program in place. I think what really is sad about the incident response programs is that most of them are not staffing people who can find the problem. So it’s not that they don’t have people – they have the team; it’s just that nobody on the team – and I’ve run into this four times now. Nobody on the team actually knows how to do the forensics, the investigative work. So really all they have is a team that manages the public, hiding the data from the public and getting even the CEO involved and keeping the lawyer involved. But the technical work ends up being bought from outside organizations. So in essence, anyone who has an incident response plan but doesn’t have in-house needs to have somebody, some team ready and waiting to come and help if they do get attacked, a very technical team. There are lots of firms that do that, including the big four, but there are lots of other firms.

LINDA MCGLASSON: And there’s always the SANS organization that will train your in-house employees. Getting on to some of the initiatives that SANS is working on, could you describe the SCORE initiative and its work on the best practices for the industry?

ALAN PALLER: Actually, let me give you a different one. The first one, I’ll do it in one sentence. It’s a list of the settings that you need to do keep particular parts of your network secure, but you can get those from a lot of people. We’ve tended to do some that no one else does, and no one else does them because they’re not as widely used. But the much more interesting project – I’m assuming this isn’t going to get broadcast for a little while.

LINDA MCGLASSON: Probably about two, three weeks.

ALAN PALLER: That’s perfect. The most interesting project is the one that banks have been enormously supportive of, probably the most supportive of; and that is how are you going to solve the problem long term? And the answer to how you’re going to solve the problem long term is you’ve got to deliver software that has fewer security bugs in it. And to do that, you have to get programmers to know how to write more secure code and, more importantly, ask the colleges and the community colleges to include secure coding as a required element of anyone’s program that get through their school. Sounds sensible?

LINDA MCGLASSON: Build it in from the beginning.

ALAN PALLER: Right. But it turns out that the – especially in the four-year colleges, but also in some of the others – the computer science people say explicitly this is not our job; we are not a vocational school, we’re not going to do it. So you’ve got this standoff that’s been going on for five years, and one of the most fun things we’re doing is having a breakthrough impact on that. And what it is is that all of the really smart security wizards – Gary McGraw was in on it at the beginning. I’m not sure he’s still involved in it, but all of the secure programming wizards have been helping to create a national exam, and it’s this secret. We will go public in about ten days.

But it’s a national exam that tests programmers for how well they know the common mistakes that are made, whether they can find them in code, and fix them. And the reason it’s the high impact project isn’t that it’s a test; it’s that colleges are going to be put on the spot by employers, saying “why do your people fail this exam?” And no college wants to be embarrassed about putting out people who are dangerous. So this is the energy source that finally will move the colleges to embed security, and we’re already hearing rumblings like that. They’re talking about summer workshops for faculty on how to teach this stuff. It’s very exciting. So that’s the kind of project SANS likes to take on, where you have a big national problem – the early warning system for the Internet, no one was doing that, so we built the [Internet] Storm Center. We didn’t take any federal money; we did it with our own money, and we have 6,000 centers around the world, and we report every day what bad things are happening as of last night, and we analyze it in real-time. This project is the same kind of project. We have no way to get the community to make sure that their program is in every project that they have, every bank for example. Every project, you build new software, ought to have at least one person who’s really an expert on security. Well, how do you know who is an expert on security? That’s what the test does. And it’s not an on-off test; it’s a rating scale. So you don’t fail it or pass it. You actually get a certain level– there are five levels, and so you want to have somebody with one of the upper levels on every project so that they can make sure that the codes you’re writing actually doesn’t have the common errors. That’s the kind of stuff SANS likes to do.

We have about 14,000 people going through immersion training courses every year, and it’s – these are the kinds of programs we put in to make their job easier when they get back to their workplace.

LINDA MCGLASSON: Boy, it sounds like an excellent step in the right direction in terms of making sure that information security starts at the beginning. And I wanted just to follow up and close with two questions. Where do you – other than some of these initiatives with the colleges and the building and training programmers, where do you see information security going from the perspective of a SANS director of research?

ALAN PALLER: Probably the most interesting problem – and easily the hardest problem in security – is the identification isolation of malicious software that’s hidden on a computer. When somebody breaks into the computer, he tries to be invisible. And they’re getting much, much, much more sophisticated at becoming invisible. So the great arms race for the next decade will be building the tools and the people who can find that stuff. And SANS is not in the lead on that; the Air Force is actually in the lead on that. But we’re hoping that we can learn some of what they’re doing and bring some of their techniques to the rest of the world.

LINDA MCGLASSON: We will be watching very closely as that develops. Any final words of advice on information security or your own wisdom that you’d like to offer our audience of banks and credit unions?

ALAN PALLER: I don’t think wisdom is the right word. I was pretty tough on banks at the beginning when I was talking about their hiding the losses and not even knowing it was their own servers that were giving it away. In general, the banking industry is at least better than, and in most cases much better than, other organizations in security. They’ve really gone far beyond other organizations. They’re doing things that now others are following, like they were the first to do an in-depth application method before they deployed applications on the Internet. Banks (and investment community) such as Merrill Lynch and a lot of banks in the investment community were the first to build scan-and-block systems that made sure that the users are connected to their network and didn’t have effects. And so despite my being a little tough on the banking community for hiding the problem, that’s a business decision that they have made; and I think it ought to change with better laws. But other than that, they’re really leading the way, and they need to get kudos for that.

LINDA MCGLASSON: Well, thank you, Alan, for taking this time out of your busy day and sharing your insights on information security with us. And we will continue to look for the latest information on information security and all the surrounding issues from your organization, the SANS Institute. Thank you very much.




Around the Network