Steering a Course Toward Secure Networks
Securing the network against intrusion is more than complying with the Federal Financial Institutions Examination Councilâ€™s mandate for strong authenticationâ€”although itâ€™s certainly that. It also makes good business sense. Financial institutions that implement information security technology and procedures have a much greater chance of allaying customer fears about identity theft than those that donâ€™t.
Among the first steps that should be taken is installation of an active monitoring device that actively probes the network to see what devices are on the network and what services are being run. Whenever a new device is plugged into the network or something else changes, the network monitoring system alerts the IT department to investigate.
BB&T Corp. in January revealed that itâ€™s implemented a new fraud detection technology to deliver to deliver real-time Web activity information to its fraud and FFIEC regulatory compliance system, enabling it to halt fraud when it occurs.
â€œOur interest is first and foremost to protect our users and to mitigate fraud,â€ says Paal Kaperdal, BB&Tâ€™s senior VP of e-Business. The technology â€œenables us to quickly extend additional protection across our enterprise with no impact to our business applications.â€
The software employs a unique, multidimensional profile approach to detect suspicious patterns and behavior. It captures all online user transactions and transforms them into meaningful real-time business events to identify potential fraudulent activity occurring on any of BB&Tâ€™s Web applications. This real-time capability enables the institution to take immediate action, such as requiring additional authentication, invoking out-of-band transaction authorization, and halting user activity.
The FFIEC has provided specific guidance on what constitutes effective network security. Requirements include performing a regular risk assessment on applications, servers, databases, and network devices with nonpublic personal information, mandatory evaluations of major infrastructure changes, documented policy and procedures, and regular risk assessments to determine appropriate controls.
The FFIEC also requires logging of all access to personal information (view, read, write, delete), the capability to detect potential intrusions and placement of intrusion detection devices, firewalls, authentication and access controls, and encryption in storage and transmission.
A robust network logging system helps institutions identify threats at the network, host, and application layer, as well as address compliance requirements for log monitoring., enabling them to log, track, and analyze user and system activity.
Lone Star Capital Bank, based in San Antonio. Texas, has deployed a set of managed security products and services, including an intrusion detection system, enabling it to manage and view network traffic in real-time. It looks for intrusion attempts, potential vulnerabilities and harmful scripts around the clock. â€œSecurity is at the forefront of our concerns each and every day," says John Theiss, Lone Starâ€™s chief technology officer â€œWe feel very comfortable going forward that the network and customer information of our bank is secure."
St. George Bank, a financial institution in Australia, has expanded its system for monitoring automated teller machines to include logging of the bank's network of LAN servers. Automated logging provides immediate notification of errors and alerts, as well as a comprehensive log of all problems or downtime occurring in the institution's devices. This provides "an absolute record of when devices fail and why. It gives us a 100% historical record that can be fed back into our problem logging and change management,â€ says Sonja Strupeit, a St. George Bank network security manager.
The FFIEC also places a premium on access controls. Financial institutions should assign users only the access required to perform their required functions, update access rights based on personnel or system changes, and periodically review usersâ€™ access based on the risk to the application or system. In addition, they should group network servers, applications, data, and users into security domains, establish appropriate access requirements within and between each security domain, and implement appropriate technological controls to meet those access requirements consistently. Authentication and authorization controls need to be appropriately robust for the risk of the application. Access rights should be monitored to ensure they are the minimum required for the users current business needs. Also needed is software that enables rapid analysis of user activities.
By implementing these and other safeguards, financial institutions will not only be in compliance with regulators but also will be providing protection for their employees and customers.