January/February 2006 issue
As firewalls and intrusion detection replace the steel vault and
security guard at banks, some are asking if our money is still safe.
Up to a point.
Because that’s where the money is. This, claimed the notorious
Willy Sutton, was why he robbed banks.
The attraction is undiminished 70 years later, even though money
is less and less cold, hard cash, and more and more a collection
of digital ones and zeroes. Hacking and information theft is replacing
tommyguns and dynamite. Last year’s much-publicized attempt
to use keyloggers to steal millions from Sumitomo Bank in London
shows that the threat is very real.
Business as usual
On a business level, investment banks face the same threats as any
other organization. “A lot of my time goes into…managing
vulnerabilities in vendor software, patch management, anti-virus
etc.,” says the head of IT security at a major bank, speaking
on condition of anonymity.
However, these apparently mundane attacks carry the risk of a much
more serious intrusion. A virus or Trojan could install a keylogger;
a port probe could be a random scanner, or start a denial of service
attack or an intrusion attempt.
Bankers worry about protecting their reputation and are wary of
disclosing sensitive information inadvertently. But investment bankers
are obsessed with secrecy. It is a world, utterly dependent on IT,
in which time-sensitive market information is quickly converted
to profit. Banks trade on their reputations, and any failure that
undermines their customers’ confidence in them could have
catastrophic consequences for their businesses.
Junction city
Investment banks are probably the most connected organizations
on the planet. They each have hundreds, even thousands, of virtual
private networks (VPNs), leased lines and circuits, that connect
them to stock exchanges, customer networks, suppliers, market data
vendors like Reuters and Bloomberg, and to their own clients such
as hedge and pension funds.
“It’s an immense challenge (to manage all the different
networks),” says Frédéric Ponzo, managing director
of NET2S Group. “It’s like a big plate of spaghetti.”
Just maintaining firewalls and intrusion detection systems is a
huge task. However, the perimeter is not as clearly defined as it
was, thanks to increasingly complex relationships with third parties.
For example, some suppliers want to install their own hardware on
bank premises.
“We keep getting cases where third parties want to get rights
on the system to control their own boxes,” says one City IT
executive, speaking on condition of anonymity. Not only is this
a demarcation challenge, but he fears that one compromised machine
might provide a stepping stone to others inside the firewall.
In addition, internet-based connectivity is driving out dedicated
leased lines. “We’re seeing this more and more as specialist
services get outsourced,” he adds.
Many banks’ IT environment now resembles a castle with too
many drawbridges and sally ports. The challenge is to evolve security
models to allow these changes while maintaining strong external
defences.
Inside the moat
The situation isn’t much better in the citadel. Graeme Cox,
managing director of DNS, a specialist in IT solutions for the banking
industry, sees more spent on traffic analysis, compartmentalization
and internal firewalls to boost security inside the perimeter.
The attack on Sumitomo Bank shows another kind of internal risk,
that of uncontrolled physical access. “It’s by no means
a new threat,” reckons one industry insider. The devices involved
have been around for several years, but the incident highlights
the need for careful screening of staff and suppliers and for access
control.
The human element is evident elsewhere too. Banks traditionally
have “Chinese walls” to block communications between
certain activities, for example between corporate finance and trading
departments. “We can put in technical barriers, but in practice
you can still go and have a coffee with someone on the other side
of the Chinese wall,” says Andrew Yeomans, vice-president
of global information security at Dresdner Kleinwort Wasserstein.
Ultimately, he adds, good security is also about “teaching
people what to do”.
Access controls and audit trails
NET2S’s Ponzo says interest in identity management has surged
in the past 18 months. “The holy grail is having a single
system where you list all users and all systems and all privileges,”
he says.
It’s all about refining access control. In the past, controlling
access to the network sufficed. Now banks are looking at using centralized
identity management systems to control access to application. Next
they may begin to monitor and control access to individual records
inside databases.
Although rare at the moment—one vendor reckons one in 100
banks do it—record-level access may become more important
as other security loopholes are closed. Pretty much every database
system can log access at various levels, says Will Edward, a vice-president
at Embarcadero, but banks don’t use it because it hurts performance.
His company sells a tool that monitors SQL statements as they travel
across the network; this achieves the same result without slowing
the database.
The Sumitomo case showed how insider access can subvert electronic
defences. When they have legitimate access to the information, it’s
hard to stop employees plugging an iPod into a USB port and siphoning
off 60GB of data. As a result, banks are publicizing increased use
of audit trails to deter would-be information thieves.
“If we can see that someone has taken a backup of the client
database a week before they leave, then we can say to them ‘We
know what you’ve got’,” says Dresdner’s
Yeomans.
Cost and practicality force banks (and other businesses) to trade
off deterrence, prevention and consequence management. Yeomans recognizes
that you can’t prevent every possible abuse. “If we
can do something technically, we’ll do it,” he says.
“It’s worth putting up small hurdles in some cases but
more often it’s either a big hurdle or consequence management.”
Demanding traders
One big difference between investment banks and other businesses
(except perhaps show business and sport) is the power and ego of
star individuals. Traders who make lots of money for banks can be
ferocious in their demands. “If a head trader starts screaming
that he wants something now, they tend to say okay,” says
Phil Gould, UK country manager at Deny All, a company that sells
application-level firewalls. “Security teams aren’t
allowed to get in the way.”
In a world where a tiny edge in performance can yield millions of
pounds in profit, traders demand, and get, the best kit. For example,
it is not uncommon for traders to have gigabit, server-grade network
connections rather than the usual 100Mb/s Cat5 cabling. Individuals
might have expensive dedicated phone systems, six screens and a
rack of computers to themselves.
As communication is so vital to the job, traders are early adopters
of technology. The 1980s cliché of a city trader yelling
into a brick of a mobile phone is based on fact. Today, “videos,
instant messaging, blogs—you name it, we’ve got it somewhere,”
says a security manager in one bank.
Besides, traders like owing the bragging rights to the latest cool
tool. Instant messaging is a good example. They started using it
because the latest cellphones offered it, and discovered that IM
is an effective medium. At first banks tried blocking IM with firewalls;
they are now using more secure IM systems such as Reuters Messaging
or Microsoft Live Communication Server. Neil Laver, a marketing
manager at Microsoft, says, “Pretty well anyone who is anyone
in the City is either running a pilot or has already purchased software
from us.”
Banks face risks such as fraud, insider trading, information theft
and breach of regulations, that are essentially part of their business.
But they are also part of the country’s critical infrastructure.
Confidence in the resilience of the banking system is essential
to any nation’s economy.
This was tested in an industry-wide disaster recovery exercise in
the City of London at the end of last year. Organized by the government,
the Bank of England and the Financial Services Authority, it involved
around 80 organizations and over 1,000 people in a realistic simulation
of a major incident.
Despite some recommendations on specific areas, an initial report
asserts “Many firms operate world-class IT continuity solutions
which, overall, provide a high degree of confidence that technology
could be restored quickly in the event of disruption.” It
seems Britain’s core financial infrastructure could be up
and running within two hours, handling 60-80% of normal volumes
within four hours, and pretty much back to normal within a day.
But regulations, Sarbanes-Oxley for example, are driving security
standards higher. Non-compliance has a monetary cost that is more
credible than a probable risk. “Secretly, a lot of IT security
managers are quite pleased with these requirements,” says
Graeme Cox, because compliance makes it easier for them to win the
budget debate.
Actual performance varies across the industry, say insiders. The
big banks are generally very aware and very good. Some of the start-up
hedge funds and asset managers are less aware, and not doing more
than the bare minimum. Experts talk of ten guys in a garage, with
one IT geek doing all the technical support and security, yet the
business can be trading millions every day, mostly on margin (i.e.
borrowed money). It’s a small segment of the industry, but
it’s a scary prospect. •
Matthew Stibbe is a freelance business and technology journalist
and writes for Director and wired among others.
|
|
