So You Think You Are Secure?
Threats can originate from many sources including the Internet or from inside your institution, on the inside of your network, behind your firewall. The source can be as varied as a hacker scanning for vulnerabilities in your system or an unsuspecting employee or contractor connecting his infected laptop directly to the network, or there is the possibility someone has deployed a wireless access point on your network. What about your website, how quickly would you know if your site was defaced? Protection from the multitude of attacks requires deployment of security in layers – where each layer enhances overall security. What is “layered security� Imagine slices of Swiss cheese. Swiss cheese, by nature, has many holes or entry points. Think of the holes as security risks. If you have one slice, you have many exposed holes. Adding slices, adds more exposure; however, layering the slices strategically, you begin to plug the holes. Eventually, with enough slices placed correctly, all of the holes are plugged. Equate this analogy to your environment. You add products and services, which by nature possess security risks, so you need to implement new security controls, monitoring, policies, and procedures to mitigate the risks. In other words layered security. A single layer of security will leave your systems exposed. For years, financial institutions have employed the layered approach for physical security, using vaults, locked computer rooms, and employee training and procedures. Furthermore, to ensure around-the-clock-protection, monitoring by means of security guards, alarm systems, motion detectors, and cameras are readily used. Layered network security is no different. Continuous monitoring is a vital component of layered security. Security best practices mandate continuous monitoring to ensure protection of the whole environment, physical and logical, internal and external.
Many institutions inappropriately limit their security focus on the external environment and implement policies and controls consisting of firewalls and intrusion detection systems (IDS), only. A broader perspective is necessary; however, for Internet-exposed systems like web sites and e-commerce applications as well as internal network systems. Incorporating layered security provides a holistic and proactive perspective. Continuous around-the-clock monitoring of your whole environment, including transaction hijacking detection, website defacement detection, and unauthorized computer and wireless network detection is a vital layer of security.
Providing the appropriate layers of security is no longer just a “best practice†but a regulatory requirement. The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to implement controls to ensure the confidentiality, security, and integrity of customer information and information systems. The Sarbanes Oxley Act of 2002 requires publicly traded companies to keep accurate records, implement appropriate internal controls, and provide an annual attestation on the integrity of financial reports and assessment of internal controls. For financial institutions that are $500 million or more and not publicly traded, similar requirements exist under Federal Deposit Insurance Corporation Act (FDICA). The USA Patriot Act also requires institutions to ensure the identity of those performing online transactions. Financial institution regulators view the failure to provide an effective risk management program, which includes layered security as an unsafe and unsound banking practice. Furthermore, the FFIEC IT Security Handbook states that a reliance on a single control device or method creates a false sense of security, and institutions should consider layering controls. Industry best practices and regulatory requirements include sound risk management, acquiring adequate expertise, implementing adequate measures for authenticating and authorizing network users, regularly checking for vulnerabilities and addressing those vulnerabilities and monitoring remote users and third parties – in essence, layering security.
So if you think you are secure, unless you have implemented layered security and continuous monitoring, think again.