|
Security attacks against financial institutions and their customers are growing and are increasingly connected with consumer and corporate fraud schemes. Managing data security in today's distributed technology environment is much more complex because the function must go beyond an institution's boundaries to control security risks facing service providers, remote partners, and customers. In addition, the function now requires more coordination with fraud management professionals and firms with deep security expertise to effectively manage risks from breaches in data security.
Financial institutions are currently adapting security risk management to the new environment in the following ways:
- Investing in security management tools that enable more proactive management of security, including intrusion prevention systems and automated vulnerability monitoring;
- Increasing the formality, frequency, and business relevance of security risk assessments in part to meet higher regulatory standards for information security management; or
- Outsourcing the most time-consuming security management functions to security services providers that have a deeper understanding of the nature of security threats and can react more adequately to each security event. New technologies and strategies being contemplated to manage internal and external consumer security risk today include:
- Collaborating with technology providers_both security specific and financial services specific_to develop new solutions to help customers prevent fraud schemes perpetrated through email and Web technology (namely phishing); and
- Evaluating more secure authentication solutions for internal employee authentication and, in some cases, for authentication of customers and institutions in the online environment.
The importance of information security (IS) in the banking industry has grown tremendously over the last few years due to a combination of factors such as the following.
- Growing severity and number of security attacks in the form of email fraud, viruses, worms, and other malicious code against financial institutions and their customers. These attacks often lead to the acquisition or destruction of confidential customer information.
- New regulatory requirements. For example, the Gramm-Leach-Bliley Act's section 501B mandates an information security program to protect customer information, and the Sarbanes-Oxley Act requires effective controls over the financial reporting process, which include controls to ensure information integrity.
- Increased exposure to risk of data theft, destruction, or manipulation from insiders due to the greater availability of information in electronic format and the increased mobility and access of information via networked computers spanning the enterprise and the globe.
Recent Trends in Malicous Code Attacks
According to Symantec, a provider of corporate and consumer security products, attacks today have the potential of being more severe than in the past. Analysts have noticed that the time between the discovery of a vulnerability and the exploitation of the vulnerability has been shrinking. Whereas institutions had months and sometimes years to implement the latest patch developed to remedy a vulnerability, today they have days. In the most recent Symantec Internet Security Threat report, the interval was 5.8 days.
Given the dominance of the Windows platform in the corporate and consumer market, more and more security attacks are exploiting vulnerabilities found in Windows software (Figure A). Well over 50% of the top ten malicious code attacks submitted to Symantec between January and June 2004 were Win32 threats.
Another finding from Symantec's analysis of security threats is that attacks are more targeted than before. Analysts have been observing an increase in the number of attacks aimed at acquiring specific data or causing damage at specific organizations. In addition, more of these attacks are financially motivated. For example, a recent security attack targeting the online payment processing company Authorize.net took place after the company received an email message from an extortionist requesting a significant amount of money. Will we start to see similar cyberspace holdups targeted at financial institutions?
Already the financial services industry has been the recipient of a targeted security attack known as Bugbear.B, a worm that contains routines that specifically affect financial institutions. These programs are instructed to send confidential information gleaned through a key-logging program to public Internet email addresses. In the last half of 2003, this malicious code was number one ranked on Symantec's top-10 submissions list. It remained on the top-10 list at number eight in the first half of 2004.
|
