Information Security
Software as a Service as a Security Battleground | Perimeters Protected, Firms Look Inward | Server Virtualization: Powerful Tool, Extra Exposure |
Perimeters Protected, Firms Look Inward
Focus shifts to internal controls, network monitoring, holistic security
March 24, 2008
With their perimeters largely secured--though under constant probing for weakness--financial services firms are focusing on internal security by improving controls on what employees can do and enhancing the security of connections for staff and customers when they cross the firewalls to access information.
"Keeping the environment secure is somewhat done," says Mark Nicholson, COO of information security consultancy Vigilant. "We are seeing a shift from looking at somebody hacking in or a denial-of-service attack--when outsiders flood servers with so much traffic they crash the Web site--to a concern with fraudulent transactions from people on the inside doing bad things or outsiders gaining credentials to operate inside."
According to New York-based Vigilant, which works with firms to identify risks and the potential losses that could arise from them, the greatest dangers are internal. "What we have seen historically is that a lot of the security spend is on security operations," says Vigilant CEO Alison Andrews. That was viewed as a necessity to guard against external threats, but when firms examined their spending against true business risk, they saw a mismatch. Now institutions are developing more sophisticated ways to monitor activity inside the firewalls, says Andrews.
Mark Horvath, industry technology strategist for capital markets at Redmond, Wash.-based Microsoft Corp., agrees that the security environment has improved over the last five years. "Companies were getting slammed by worms and blamed vendors," he recalls. "But most large companies hadn't put any investment into their security platform. Now they are recognizing activities like internal fraud, which was going on before but they were so busy with outside problems they didn't have time to catch it."
One way to bolster internal security is through the network, says Evan Bauer, CTO of Portland, Ore.-based technology company Collaborative Software Initiative. Firms that use two-factor authentication--a smart card plus a password, for example--to allow access from outside the firewall should use the same tools inside, says Bauer. "Otherwise anyone who gets into the office can access the system if they can get passwords."
He adds, "Societe Generale's $7 billion loss from a trader who apparently managed to hide his losses through logging onto risk management systems with borrowed passwords has everyone interested in security taking a fresh look at potential vulnerabilities." Two-factor authentication would have prevented the trader from getting onto control systems, says Bauer.
Rodney Nelsestuen, senior analyst at TowerGroup in Needham, Mass., says the bank had security systems in place, "yet a rogue trader could go in, talk to friends and get their passwords. He removed some roadblocks and then did what he wanted. You had a whole bunch of systems in place and someone was able, with human engineering, to circumvent them."
That's why consultants emphasize a culture of security, making people think about what they are doing and insisting they report any call from a "help desk" asking for their password. Though people generally don't like to treat their colleagues as suspects, a certain level of alertness is necessary, explains Nelsestuen. "Look at airline pilots as they prepare to board a plane," he says. "They check each other's credentials, look at the photo ID and then at the person's face."
One security expert suggests that a careful interviewing and hiring process is the first line of defense against rogue employees.
